Professional Documents
Culture Documents
Implementing Cisco
Intrusion Prevention
Systems
Volume 2
Version 6.0
Student Guide
EPWS: 06.08.07
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Table of Contents
Volume 2
Advanced Cisco IPS Configuration 4-1
Overview 4-1
Module Objectives 4-1
Performing Advanced Tuning of Cisco IPS Sensors 4-3
Overview 4-3
Objectives 4-3
Sensor Configuration 4-4
IP Logging 4-11
Reassembly Options 4-17
How to Define Event Variables 4-20
Target Value Rating 4-22
Event Action Overrides 4-25
Event Action Filters 4-30
Risk Rating System 4-34
General Settings of Event Action Rules 4-43
Summary 4-46
Monitoring and Managing Alarms 4-47
Overview 4-47
Objectives 4-47
Cisco IEV Overview 4-48
Installing Cisco IEV 4-49
Configuring Cisco IEV 4-50
Viewing Events 4-64
Cisco Security Management Suite Overview 4-71
External Product Interface 4-75
Integrating Cisco Security Agent into an IPS Installation 4-80
Cisco ICS 4-84
Summary 4-87
Configuring a Virtual Sensor 4-89
Overview 4-89
Objectives 4-89
Virtual Sensor Overview 4-90
Preparing for Virtual Sensors 4-94
Creating Virtual Sensors 4-104
Summary 4-107
Configuring Advanced Features 4-109
Overview 4-109
Objectives 4-109
Anomaly Detection Overview 4-110
Anomaly Detection Components 4-112
Configuring Anomaly Detection 4-127
Monitoring Anomaly Detection 4-138
POSFP Overview 4-141
Operating System Identification 4-143
Configuring POSFP 4-144
Monitoring POSFP 4-154
Summary 4-157
Configuring Blocking 4-159
Overview 4-159
Objectives 4-159
Blocking Overview 4-160
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ACL Considerations 4-170
How to Configure Automatic Blocking 4-180
How to Configure Manual Blocking 4-190
How to Configure a Master Blocking Scenario 4-195
Summary 4-203
Module Summary 4-204
References 4-206
Additional Cisco IPS Devices 5-1
Overview 5-1
Module Objectives 5-1
Installing the Cisco Catalyst 6500 Series IDSM-2 5-3
Overview 5-3
Objectives 5-3
Cisco Catalyst 6500 Series IDSM-2 Overview 5-4
Installing the Cisco Catalyst 6500 Series IDSM-2 5-14
Configuring Cisco Catalyst 6500 Series IDSM-2 Interfaces 5-18
Monitoring the Cisco Catalyst 6500 Series IDSM-2 5-24
Maintaining the Cisco Catalyst 6500 Series IDSM-2 5-25
Summary 5-29
Initializing the Cisco ASA AIP-SSM 5-31
Overview 5-31
Objectives 5-31
Cisco ASA AIP-SSM Overview 5-32
Loading the Cisco ASA AIP-SSM 5-38
Initial Cisco ASA AIP-SSM Configuration Using Cisco ASDM 5-48
Configuring an IPS Security Policy 5-49
Summary 5-55
Module Summary 5-56
References 5-57
Cisco IPS Sensor Maintenance 6-1
Overview 6-1
Module Objectives 6-1
Maintaining Cisco IPS Sensors 6-3
Overview 6-3
Objectives 6-3
Understanding Cisco IPS Licensing 6-4
How to Upgrade and Recover Sensor Images 6-12
How to Install Service Packs and Signature Updates 6-26
Password Recovery 6-35
How to Restore a Cisco IPS Sensor 6-44
Summary 6-46
Managing Cisco IPS Sensors 6-47
Overview 6-47
Objectives 6-47
Using the CLI to Monitor the Sensor 6-48
Using the Cisco IDM to Monitor the Sensor 6-61
Monitoring Using Cisco Security Manager 6-64
Monitoring Using SNMP 6-65
Summary 6-67
Module Summary 6-68
References 6-68
ii Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 4
Overview
This module discusses how sensors can be tuned to provide the most beneficial and efficient
intrusion protection solution. It also examines some of the tools available to achieve this.
Module Objectives
Upon completing this module, you will be able to configure some of the more advanced
features of the Cisco Intrusion Prevention System (IPS) product line. This ability includes
being able to meet these objectives:
Use the Cisco IDM to tune a Cisco IPS sensor to work optimally in the network
Use additional monitoring tools to maximize alarm management efficiency
Explain the virtual sensor, its settings, and advantages
Explain, configure, and monitor anomaly detection and POSFP
Explain blocking concepts and use the Cisco IDM to configure blocking for a given
scenario
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
4-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Overview
This lesson discusses how to tune Cisco Intrusion Prevention System (IPS) sensors to provide
the most beneficial and efficient intrusion protection solution.
Objectives
Upon completing this lesson, you will be able to use the Cisco IPS Device Manager (IDM) to
tune a Cisco IPS sensor to work optimally in the network. This ability includes being able to
meet these objectives:
Explain how to tune the sensor to avoid evasive techniques and provide network-specific
intrusion prevention
Explain the logging capabilities of the sensor, how to configure logging, and the
performance ramifications of logging
Describe the concept of IP fragment and TCP stream reassembly
Define and configure event variables
Explain and configure TVRs
Describe and configure event action overrides
Describe and configure event action filters
Describe the risk rating system and the values that it uses to calculate the risk rating
number
Describe and configure the general settings for event action rules
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Configuration
This topic explains how to tune the sensor to avoid evasive techniques and provide network-
specific intrusion protection.
Sensor Tuning
“Tuning” is a general term that is applied to the process of setting up a sensor in such a way
that it provides the correct level of information necessary for protecting your specific network.
If your sensor is to serve you efficiently, you must determine what level of events you want
from the sensor and what you are going to do with that event information. A sensor can provide
information on network events at as low a level as reporting every HTTP connection attempt or
every ping sweep or port sweep, but if you have no intention of using this data, there is little
reason to collect it.
One of the main purposes of tuning is to modify the sensor system behavior so that the alarms
that are generated have a much higher fidelity, or likelihood of being correct, and a lower
chance of reflecting anything other than a true event. Another purpose of tuning is to quickly
and efficiently identify attacks in progress in order to respond to them.
4-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Tuning (Cont.)
For tuning to be successful, you must be knowledgeable about your network and the individual
devices that the sensor is protecting. It is also important to have a good understanding of the
protocols used on your network; it is especially important to understand the protocol inspected
by any signature that you intend to tune. This knowledge enables you to recognize normal
versus abnormal network activity.
The information that you should gather before tuning your sensor includes, but is not limited to,
the following:
The network topology
The network address space under observation
Which inside addresses are statically assigned to servers and which are DHCP addresses
The operating system running on each server
Applications running on the servers
The security policy
This network knowledge is important if you have to sort through events that may or may not
have relevance and make decisions about how to react to each one. The decision is affected by
such information as the source and destination addresses of each event, the operating system of
a targeted server, the applications that are running on the server, and the normal behavior of the
server.
For example, you might see ping sweep events coming from IP address 10.0.1.99. These might
normally be considered suspicious events. However, if you know that 10.0.1.99 is a server
running HP OpenView network management software (which does ping sweeps as part of its
normal network discovery functionality), you can tune out the event by using the sensor alarm
channel filtering function so that the sensor never again triggers that event when it comes from
the 10.0.1.99 address.
4-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Location
Inside
Internet
The location of the sensor has an important influence on how it is tuned. A typical deployment
location consideration is whether the sensor is watching traffic outside or inside the firewall.
Another consideration is whether the traffic being monitored is mostly Internet traffic coming
in or user traffic going out to the Internet, versus predominantly internal traffic.
When the sensor is outside the firewall, consider these tuning guidelines:
Avoid assigning a high severity level to any individual event.
Turn off all response actions.
Use the sensor primarily to look for trends on the Internet such as activity explosions,
which can indicate attacks such as Code Red or Nimda.
Another reason why location plays an important role is that the security policy the sensor must
enforce may vary at different deployment points. A sensor that monitors traffic outside a
perimeter firewall can function independently of security policy because there is no policy to
enforce; however, a firewall on a tightly controlled demilitarized zone (DMZ) segment could
have a much tighter policy. If Telnet and FTP are not allowed on the DMZ, it would be
reasonable to set high severity levels for Telnet and FTP signatures on the DMZ sensor so that
those protocols generate a high-severity event any time that they are seen.
The phases of tuning correspond to the length of time that the sensor has been running at the
current location. These are the phases:
Deployment phase: This phase is completed during initial setup and deployment. During
this phase, the sensor is normally running the default configuration, which is generally
close to being tuned for the average deployment. Depending on your security policy and
the location of your sensor, you may choose to turn on specific signatures for activity that
you want to track. You typically do this using one of the connection signatures to track
activity on a specific TCP or User Datagram Protocol (UDP) port or a type of Internet
Control Message Protocol (ICMP) packet.
Tuning phase: Although it could last up to several weeks, this phase usually takes place
during the two weeks after the end of the deployment phase. Most of the activity and work
occurs during the tuning phase. Before you start the tuning phase, the sensor should be up
and running for a continuous period so that it sees a normal sampling of network activity.
During this time, it is possible for the sensor to fire a considerable number of events. Do
not delete these events, because they can be used extensively in the tuning process. Observe
which alarm types are being triggered most frequently and note their source and destination
addresses. Using the Network Security Database (NSDB) as a reference, you can then
proceed to examine each of the top alarm sources to determine whether an event worth
investigating is occurring.
Maintenance phase: This phase is completed periodically as tuning becomes necessary,
such as each time a signature update is applied to the sensor. Because signature updates add
new signatures and modify the way in which existing ones fire, maintenance tuning could
include turning alarms off, modifying their default severity levels or parameters, or creating
filters either on the sensor or on your monitoring application.
4-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Methods of Tuning
You can dramatically increase the benefits of your sensor by adhering to the guidelines that
apply to settings for individual signatures and monitoring applications. However, you can
further increase these benefits by increasing the efficiency of your sensor via global sensor
settings that can conserve valuable system resources. The following global sensor settings can
be configured:
IP logging
IP fragment reassembly
TCP stream reassembly
4-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IP Logging
This topic explains the logging capabilities of the sensor, how to configure logging settings via
the Cisco IDM, and the effects of IP logging on the sensor.
IP Logging
The IP logging feature provides the ability to capture raw, unaltered IP packets. IP logs differ
from alerts. They are copies of the binary packets that the sensor sees on the network.
Information from IP logs can be used for confirmation, damage assessment, and forensic
evidence.
The simplest IP logging consists of an IP address. You can configure the sensor to capture all
IP traffic associated with a host that you specify by IP address. The sensor begins collecting as
soon as it sees the first IP packet with this address and continues collecting depending on the
parameters that you have set. You can specify in minutes how long you want the traffic to be
logged at the IP address, how many packets you want logged, and how many bytes you want
logged. The sensor stops logging IP traffic at the first parameter that you specify.
The IP Logging panel displays all IP logs that are available for downloading on the system.
When the sensor detects an attack based on this signature, it creates an IP log. The event alert
that triggered the IP log appears in the IP logging table.
One of the largest problems with storing information to a fixed resource such as a hard drive or
memory is handling all the error conditions properly. The IPS IP logging design ensures that
there is always room to write a new IP log file.
When the sensor starts, it sets up a reusable ring of files for IP logging. After 512 MB of data
has been logged, the sensor starts reusing these files. The sensor reuses files by overwriting the
file with the oldest closing time. A file is closed when it reaches its configured expiry or when
its full size has been used. Because the files are preallocated, there is no reason to delete them;
however, remember that IP logging does affect performance.
You can copy IP log files to an FTP or Secure Copy Protocol (SCP) server so that you can view
them with a sniffing tool such as Ethereal or tcpdump. The files are stored in pcap binary form
with the pcap file extension.
You can use the command iplog-status at the command-line interface (CLI) to verify that IP
logs are being created and display a description of the available IP log contents. IP log files can
be retrieved from the sensor before or after they are closed. If you try to retrieve an IP log
before the file closes, you get all parts of any packet, but you may not get the last couple of
packets. IP log files can be retrieved by the following methods:
Use the CLI copy command to copy the IP log files to another host system using FTP or
SCP.
Download the IP log files via the Cisco IDM.
After retrieving the IP log files, you can use a network protocol analyzer to examine the data.
You can use Ethereal, tcpdump, or any other reader that understands libpcap format. Libpcap
format contains the data of the captured packets in binary form and is a standard used by
network tools such as WinDump, Ethereal, and Snort.
Caution Because of its impact on performance, IP logging should only be used temporarily for such
purposes as attack confirmation, damage assessment, or forensic evidence.
4-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Manual IP Logging
Monitoring
Add
IP Logging
Stop
Step 2 Choose IP Logging from the table of contents. The IP Logging panel is displayed.
Note If you choose a log ID and click Stop, the Stop IP Logging window opens, asking if you are
sure you want to stop logging for the ID you selected. If you click OK, the logging entry is
removed from the IP Logging panel.
IP Address
Duration
Packets
Bytes
Apply
Step 4 In the IP Address field, enter the IP address of the host from which you want IP logs
to be captured. You receive an error message if you are trying to add a capture that
exists and is in the added or started state.
Step 5 In the Duration field, enter the number of minutes that you want IP logs to be
captured. Valid values range from 1 to 60 minutes.
Step 6 (Optional) Enter the number of packets that you want to be captured in the Packets
field. Valid values range from 0 to 4294967295.
Step 7 (Optional) Enter the number of bytes that you want to be captured in the Bytes field.
Valid values range from 0 to 4294967295.
Step 8 Click Apply to apply your changes and save the revised configuration. The IP
address is displayed on the IP Logging panel along with the following information:
Log ID: This is the ID of the IP log.
Status: This is the status of the IP log. Valid values are added, started, or
completed.
Event Alert: This is the event alert, if any, that triggered the IP log.
Start Time: This is the time stamp of the first captured packet.
Current End Time: This is the time stamp of the last captured packet. There is
no time stamp if the capture is not complete.
Packets Captured: This is the current count of the packets captured.
Bytes Captured: This is the current count of the bytes captured.
You can edit an existing log entry by choosing it in the list and then clicking Edit. The Edit IP
Logging window opens, enabling you to edit the Duration, Packets, and Bytes values for the IP
address for which logging is configured.
4-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Viewing IP Logs
Monitoring
IP Logging
Download
Step 1 To download an IP log, from the IP Logging panel choose the log ID and click
Download. The Save As dialog box appears.
Step 2 Save the log to your local machine. You can view it with Ethereal.
Configuration
Signature
Definitions:
sig0
Max IP Log Packets
You can configure a sensor to generate an IP session log when the sensor detects an attack.
When IP logging is configured as a response action for a signature and the signature is
triggered, all packets to and from the source address of the alert are logged for a specified
period of time.
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Signature Definitions > sig0 and click the
Miscellaneous tab.
Step 4 In the IP Log Time field, enter the duration that you want the sensor to log.
Step 5 In the Max IP Log Bytes field, enter the maximum number of bytes that you want
logged.
Step 6 Click Apply to apply your changes and save the revised configuration.
4-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Reassembly Options
This topic describes IP fragment and TCP stream reassembly. It also explains how their settings
affect the sensor.
Reassembly Overview
Reassembly options affect the sensing function but are not necessarily specific to a particular
signature or set of signatures. Reassembly settings ensure that valuable system resources are
not wasted. In the Cisco IDM, you can choose two reassembly options:
For IP fragments
For TCP streams
Fragment
Reassembly
IP Reassembly
Mode
Signature
Definition: TCP Handshake
sig0 Required
Stream
Reassembly TCP Reassembly
Mode
You can use the Miscellaneous tab in the Cisco IDM to configure both IP fragment reassembly
and TCP stream reassembly. Complete the following steps to configure IP fragment reassembly
options:
Step 1 Click the Configuration button.
Step 4 From the sig0 panel, click the Miscellaneous tab. The Miscellaneous panel is
displayed.
Step 5 Under Fragment Reassembly, click the green icon next to IP Reassembly Mode and
choose the operating system that you want to use to reassemble the fragments.
Step 4 From the sig0 panel, click the Miscellaneous tab. The Miscellaneous panel is
displayed.
Step 5 Under Stream Reassembly, click the green icon next to TCP Handshake Required
and choose Yes if you want the sensor to only track sessions for which the three-way
handshake is completed. Otherwise, choose No.
Step 6 Click the green icon next to TCP Reassembly Mode and choose one of the following
modes for the sensor to use for reassembling TCP sessions:
4-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Strict: This mode allows only the next packet that is expected in a given stream.
If a packet is missed for any reason, reassembly terminates for that stream.
Loose: This mode allows gaps in the sequence. If a packet in a stream is missed,
stream reassembly continues on a best-effort basis. Because this option can
consume excessive resources on the sensor, it should be used only in
environments where packets might be dropped.
Asymmetric: This mode allows asymmetric traffic, where acknowledgments
(ACKs) traverse a different path and are not seen by the sensor, to be
reassembled. This option disables TCP window evasion checking.
Step 7 Click Apply to apply your changes and save the revised configuration.
Event
Action
Rules:
rules0
Event
Variables
Add
You can create event variables and then use those variables in event action filters. If you want
to use the same value within multiple filters, use a variable. When you change the value of the
variable, any filter using that variable is updated with the new value.
Note You must preface the variable with a dollar sign ($) to indicate that you are using a variable
rather than a string.
For example, if you have an IP address space that applies to your engineering group, and there
are no Microsoft Windows systems in that group and you are not worried about any Windows-
based attacks on that group, you could set up a USER-ADDR1 variable to be the IP address
space of the engineering group. You could then use this variable to configure a filter that would
ignore all Windows-based attacks for USER-ADDR1.
Step 4 From the ruls0 panel, click the Event Variables tab. The Event Variables panel is
displayed.
4-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Event Variables (Cont.)
Name
Type
Value
Step 6 Enter a name for the variable in the Name field. A valid name can only contain
numbers or letters. You can also use a hyphen (-) or an underscore (_). You cannot
change the name of an existing variable.
Step 7 Enter the values for this variable in the Value field. You can use commas as
delimiters, but ensure that there are no spaces after the comma. Otherwise, you
receive a Validation Failed error. The following is an example of designating both
the 10.0.1.0 and the 172.16.1.0 network, both with a netmask of 255.255.255.0:
10.0.1.0-10.0.1.255,172.16.1.0-172.16.1.255
Step 8 Click OK. The new variable is displayed in the list on the Event Variables panel.
Note Click Reset to refresh the panel by replacing any edits that you made with the previously
configured value.
Step 9 Click Apply to apply your changes and save the revised configuration.
You can edit an existing variable by choosing it in the list and then clicking Edit. The Edit
Event Variable window opens, enabling you to edit the variable values.
You can assign a target value rating to your network assets. The TVR is one of the factors used
to calculate the risk rating value for each alert. You can assign different target value ratings to
different targets. Events with a higher risk rating trigger more severe signature event actions.
4-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring TVRs
Target Value
Configuration Rating
Event Action
Rules:rules0
Add
Step 4 From the rules0 panel, click the Target Value Rating tab. The Target Value Rating
panel is displayed.
Step 5 Click Add to create a new TVR. The Add Target Value Rating window opens.
Target Value
Rating
Target IP
Addresses
Step 6 Choose a rating from the Target Value Rating (TVR) drop-down menu. The values
are High, Medium, Low, Mission Critical, or No Value.
Step 7 Enter the IP address of the network asset in the Target IP Address(es) field. For a
range of IP addresses, enter the lowest address followed by a hyphen and the highest
address in the range. The following is an example of a range of addresses:
10.10.2.1-10.10.2.30
Step 8 Click OK. The new TVR is displayed in the list on the Target Value Rating panel.
Step 9 Click Apply to apply your changes and save the revised configuration.
To edit an existing TVR, choose it from the list and click Edit. The Edit Target Value Rating
window opens, enabling you to modify the values in the Target IP Address(es) field.
4-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event Action Overrides
This topic defines event action overrides and describes how to configure them.
As mentioned in the “How to Define Event Variables” topic, you can add an event action
override to change the actions associated with an event based on specific details about that
event.
Configuration
Event Action Overrides
Event Action
Rules:
rules0 Use Event Action Overrides
Add
Step 4 From the rules0 panel, click the Event Action Overrides tab. The Event Action
Overrides panel is displayed.
Step 5 Check the Use Event Action Overrides check box.
Step 6 Click Add to create a new event action override. The Add Event Action Override
window opens.
4-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Event Action Overrides
(Cont.)
Event
Action
Enabled
Risk
Rating
Step 7 From the Event Action drop-down menu, choose the event action to which this
override will correspond. This specifies the event action that will be added to an
event if the conditions of the override are satisfied. You can choose from the
following options:
Deny Attacker Inline: This option terminates the current packet and future
packets from this attacker address for a specified period of time. The option is
only for inline mode.
Note The sensor maintains a list of the attackers currently being denied by the system. To remove
an entry from the denied attacker list, you can view the list of attackers and clear the entire
list, or you can wait for the timer to expire. The timer is a sliding timer for each entry.
Therefore, if attacker A is currently being denied but issues another attack, the timer for
attacker A is reset and attacker A remains in the denied attacker list until the timer expires. If
the denied attacker list is at capacity and cannot add a new entry, the packet is still denied.
Deny Attacker Service Pair Inline: (Inline mode only) This option does not
transmit this packet or future packets on the attacker address victim port pair for
a specified period of time.
Deny Attacker Victim Pair Inline: (Inline mode only) This option does not
transmit this packet or future packets on the attacker-victim address pair for a
specified period of time.
Deny Connection Inline: This option terminates the current packet and future
packets on this TCP flow. This option is only for inline mode.
Deny Packet Inline: This option terminates the packet. This option is only for
inline mode.
Log Attacker Packets: This option starts IP logging on packets that contain the
attacker address and sends an alert. This action causes an alert to be written to
the Event Store even if Produce Alert is not selected.
Step 9 Use the Risk Rating Minimum and Maximum fields to enter a risk rating range that
triggers the event action override. (Risk rating is discussed in more detail in the
“Risk Rating System” topic in this lesson.) If an event has a risk rating within this
range, the event action is added to other configured actions for the event. All values
should be between 0 and 100, and the value in the Minimum field must be less than
or equal to the value in the Maximum field. The risk rating system will be discussed
in the “Risk Rating System” topic.
Note To undo your changes and close the Add Event Action Override dialog box, click Cancel.
Step 10 Click OK. The new event action override is displayed in the list on the Event Action
Overrides panel.
Step 11 Click Apply to apply your changes and save the revised configuration.
Note If you do not check the Use Event Action Overrides check box, none of the event action
overrides are enabled, regardless of the value that you set.
You can edit an existing event action override by choosing it from the list and clicking Edit.
The Edit Event Action Overrides window opens, enabling you to edit the Enabled and Risk
4-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Rating values for the specified event action. You can also enable, disable, or delete event action
overrides by choosing the event action override and clicking the button for the desired action.
2
The scanning traffic matches a
signature, the signature fires, and the
traffic is dropped.
3
The sensor allows identical
scanning behavior through from
the management system.
Target
Management
System
You can configure event action filters to remove specific actions from an event or to discard an
entire event and prevent further processing by the sensor. You can also use the variables that
you defined on the Event Variables panel to group addresses for your filters.
4-30 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Event Action Filters
Event Action
Filters
Configuration
Add
Move Up Edit
Move Down
Event Action
Rules: Enable
rules0
Disable
Delete
Use the Event Action Filters panel to add and manage event action filters. Choose an event
action filter and then click the following buttons to perform the corresponding tasks:
Move Up: This button moves the selected event action filter up one row in the list. This
action results in a change in the processing order of the filters.
Move Down: This button moves the selected filter down one row in the list. This action
results in a change in the processing order of the filters.
Edit: This button opens the Edit Event Action Filter window. This enables you to modify
the filter values.
Note You must preface the variable with a dollar sign ($) to indicate that you are using a variable
rather than a string. Otherwise, you receive the Bad Source and Destination error.
Step 4 From the rules0 panel, click the Event Action Filters tab. The Event Action Filters
panel is displayed.
Step 5 Click Add. The Add Event Action Filter window opens.
Subsignature ID Enabled
Risk Rating
Actions to OS Relevance
Subtract
Deny Percentage
Stop on Match
Comments
Step 7 Click the Yes Active radio button. The Yes button is selected by default.
Step 8 Click the Yes Enabled radio button to enable the filter. The Yes button is selected by
default.
Step 9 Enter the signature IDs of all the signatures to which this filter should be applied in
the Signature ID field. You can enter a single signature ID, a list, or a range.
Step 10 Enter the subsignature IDs of the subsignatures to which this filter should be applied
in the SubSignature ID field.
Step 11 Enter the IP address of the source host in the Attacker Address field. You can enter a
single IP address, a range of addresses, or an event variable defined in the Event
Variables panel. If you use a variable, preface it with a dollar sign ($).
Step 12 Enter the port number used by the attacker to send the offending packet in the
Attacker Port field. You can also enter a range of ports.
Step 13 Enter the IP address of the recipient host in the Victim Address field. You can enter
a single IP address, a range of addresses, or an event variable defined in the Event
Variables panel. If you use a variable, preface it with a dollar sign ($).
Step 14 Enter the port number used by the victim host to receive the offending packet in the
Victim Port field. You can also enter a range of ports.
Step 15 Assign a risk rating range to this filter. If an event has a risk rating within the range
that you configure here, the event is processed against the rules of this event filter.
Step 16 Choose from the Actions to Subtract list the actions that you want this filter to
remove from the event should the conditions of the event meet the criteria of the
event action filter.
4-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 17 Choose which OS Relevance values apply.
Step 19 Choose one of the following Stop on Match radio buttons, which determine whether
this event is processed against remaining filters in the event action filters list:
Click Yes if you want the Event Action Filters component to stop processing
after the actions of this particular filter have been removed. Any remaining
filters are not processed; therefore, no additional actions can be removed from
the event.
Click No if you want to continue processing additional filters for a match until a
Stop flag is encountered.
Step 20 Enter any comments that you want to store with this filter in the Comments field,
such as the purpose of this filter or why you have configured this filter in a particular
way.
Step 21 Click OK. The new event action filter is displayed in the list on the Event Action
Filters panel.
Note If you do not check the Use Event Action Filters check box on the Event Action Filters panel,
none of the event action filters will be enabled regardless of the value that you set here.
Step 22 Click Apply to apply your changes and save the revised configuration.
In contrast to simplistic alert rating models that are commonly used in the industry, Cisco IPS
Sensor Software Version 6.0 delivers unique risk ratings that are assigned to alerts generated
from the Cisco IPS sensors. The intent of this risk rating is to provide the administrator with an
indication of the relative risk of the traffic or offending host continuing to access the network.
This rating can be used either to highlight the events that require immediate administrator
attention in the classic intrusion detection system (IDS) promiscuous mode, or to provide a
means for developing risk-oriented event action policies when you employ the sensor in the
inline intrusion protection system mode.
The risk rating is an integer value in the range from 0 to 100. The higher the value, the greater
the security risk of the trigger event for the associated alert. The risk rating is a calculated
number that is based on several components and is used by event action overrides.
4-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Components That Make Up the Risk
Rating
Some of these values the administrator can configure, some values are calculated.
The ASR is determined by the severity level configured for the signature. The severity level
can be informational, low, medium, or high. Each of these severities has an associated numeric
value which the risk rating formula uses for the ASR value.
Informational (25)
Low (50)
Medium (75)
High (100)
The ASR is not a determination of the accuracy of the signature definition. It is only an
indication of the seriousness of the attack.
4-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Target Value Rating
When you configure TVRs in the event action rules, numeric values are assigned and used to
calculate the risk rating value. The TVR is a user-configurable value that identifies the
importance of a network asset, through its IP address. You can develop a security policy that is
more stringent for valuable corporate resources and looser for less important resources. For
example, you could assign a TVR to the company web server that is higher than the TVR that
you assign to a desktop node. In this example, attacks against the company web server have a
higher risk rating than attacks against the desktop node.
The following are the current numeric values for the configured targets:
Zero (50)
Low (75)
Medium (100)
High (150)
Mission Critical (200)
4-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Attack Relevancy Rating
The ARR adds the relevance of an attack to the risk rating equation. For example, a Microsoft
Internet Information Server (IIS) buffer overflow attack is serious. But if it is launched against
an Apache server, it is not relevant. Therefore, to assist IPS analysts in prioritizing their efforts,
the ARR is included in the risk rating by raising the ARR for attacks against legitimate targets,
and lowering it against others.
PD lowers the risk rating of certain alerts in promiscuous mode. Because the sensor does not
know the attributes of the target system and in promiscuous mode cannot deny packets, it is
useful to lower the prioritization of promiscuous alerts (based on the lower risk rating) so that
the administrator can focus on investigating higher risk rating alerts.
4-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Watch List Rating
If the attacker for the alert is found on the watch list, the WLR for
that attacker is added to the rating.
Valid numbers for this are 0–100.
– Cisco Security Agent only uses 0–35.
The CiscoWorks Management Center for Cisco Security Agent receives host posture
information from the Cisco Security Agent software that it manages. It also maintains a watch
list of IP addresses that it has determined should be quarantined from the network.
The CiscoWorks Management Center for Cisco Security Agent sends two types of events to the
sensor—host posture events and quarantined IP address events. Host posture events contain the
following information:
Cisco Security Agent status
Host system hostname
Set of IP addresses enabled on the host
Cisco Security Agent software version
Cisco Security Agent polling status
Cisco Security Agent test mode status
ARC posture
The sensor uses the information from these events to determine the risk rating increase based
on the information in the event and the risk rating configuration settings for host postures and
quarantined IP addresses.
Note The host posture and watch list IP address information is not associated with a virtual
sensor, but is treated as global information.
A risk rating is a value between 0 and 100 that represents a numerical quantification of the risk
associated with a particular event on the network. The calculation takes into account the value
of the network asset being attacked (for example, a particular server), so it is configured on a
per-signature basis (ASR and SFR) and on a per-server basis (TVR).
Risk ratings let you prioritize alerts that need your attention. These risk rating factors take into
consideration the severity of the attack if it succeeds, the fidelity of the signature, and the
overall value of the target host to you. The risk rating is reported in the events.
The following values are used to calculate the risk rating for a particular event:
ASR: This is a weight associated with the severity of a successful exploit of the
vulnerability. The ASR is derived from the alert severity parameter of the signature.
SFR: This is a weight associated with how well this signature might perform in the absence
of specific knowledge of the target. SFR is calculated by the signature author on a per-
signature basis. The signature author defines a baseline confidence ranking for the accuracy
of the signature in the absence of qualifying intelligence on the target. It represents the
confidence that the detected behavior would produce the intended effect on the target
platform if the packets under analysis were allowed to be delivered. For example, a
signature that is written with very specific rules (specific regular expression) has a higher
SFR than a signature that is written with generic rules.
TVR: This is a weight associated with the perceived value of the target. TVR is a user-
configurable value that identifies the importance of a network asset through its IP address.
You can develop a security policy that is more stringent for valuable corporate resources
and looser for less important resources. For example, you could assign a TVR to the
company web server that is higher than the TVR that you assign to a desktop node. In this
example, attacks against the company web server have a higher risk rating than attacks
against the desktop node.
4-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
General Settings of Event Action Rules
This topic explains the event action rules general settings and how to configure them.
General Settings
You can configure general settings that apply to the event action
rules, such as whether you want to use the summarizer and the
meta event generator.
You can also configure how long you want to deny attackers, the
maximum number of denied attackers, and how long you want
blocks to last.
You can configure the general settings that apply to the event action rules, such as whether you
want to use the summarizer and the meta event generator. The summarizer groups events into a
single alert, thus decreasing the number of alerts that the sensor sends out. The meta event
generator processes the component events, which lets the sensor watch for suspicious activity
transpiring over a series of events.
You can configure settings for how long you want to deny attackers, the maximum number of
denied attackers, and how long you want blocks to last.
Configuration
Use
Event Action
Summarizer
Rules:rules0
Maximum
Deny
Block Action Denied
Attacker
Duration Attackers
Duration
Complete the following steps to configure the general settings for event action rules:
Step 4 From the rules0 panel, click the General Settings tab.
Step 5 If you want to enable the summarizer feature, check the Use Summarizer check
box.
Step 6 If you want to be able to use meta events, check the Use Meta Event Generator
check box.
Caution The summarizer and the meta event generator operate at a global level, so enabling these
options affects all sensor processing of these features.
Step 7 Enter the number of seconds that you want to deny an attacker inline in the Deny
Attacker Duration field.
Step 8 Enter the number of minutes that you want to block a host or connection in the
Block Action Duration field.
Step 9 Enter the maximum number of attackers that you want to deny at any one time in the
Maximum Denied Attackers field.
Click Apply to apply your changes and save the revised configuration.
4-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Threat Rating
Threat rating adjustments correlate with actions taken by the sensor. Depending on which
actions you configure, the risk rating is lowered based on the value associated with those
actions, and which actions occur. The amount by which the risk rating is reduced is based on
the following actions:
45: deny-attacker-inline
40: deny-attacker-victim-pair-inline
40: deny-attacker-service-pair-inline
35: deny-connection-inline
35: deny-packet-inline
35: modify-packet-inline
20: request-block-host
20: request-block-connection
20: reset-tcp-connection
20: request-rate-limit
Summary
Summary (Cont.)
4-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Overview
This lesson introduces several additional software products to aid and enhance the monitoring
provided by the Cisco Intrusion Prevention System (IPS) sensor. It also covers some
complementary technologies that aid in this enhancement.
Objectives
Upon completing this lesson, you will be able to use additional monitoring tools to maximize
alarm management efficiency. This ability includes being able to meet these objectives:
Explain the Cisco IEV, its features, benefits, and specifications
Explain the installation procedure for Cisco IEV
Add devices to the Cisco IEV
Use Cisco IEV to view events
Explain the Cisco Security Management Suite, its features, benefits, and specifications
Explain the external product interface, its benefits, and specifications
Explain how a Cisco Security Agent installation can be integrated into a Cisco IPS sensor
installation using Cisco Security Monitor
Explain the Cisco ICS
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IEV Overview
This topic describes the features, benefits, and specifications of the Cisco IPS Event Viewer
(IEV).
Cisco IEV
Cisco IEV Version 5.2 offers a no-cost monitoring solution for small scale Cisco IPS
deployments, for example, up to five devices. Cisco IEV is easy to set up and use for
monitoring individual Cisco IPS devices, and provides the administrator with the following:
E-mail and pager alert notification (new in Version 5.2)
Support for Cisco IPS Sensor Software Version 5 through Security Device Event Exchange
(SDEE) compatibility
Customizable reporting
Visibility into applied response actions and threat rating
Compatibility with events generated from the Cisco Adaptive Security Appliance
Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM), Cisco
IPS 4200 Series Sensors, Cisco Catalyst 6500 Series Intrusion Detection System Services
Module 2 (IDSM-2), and Cisco IOS IPS-capable Software on Cisco integrated services
routers (ISRs)
4-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Installing Cisco IEV
This topic describes how to install Cisco IEV.
Step 4 At the Select Destination Location window, click Browse to change the Destination
Folder. Once satisfied with the location, click Next.
Step 5 From the Select Program Manager Group screen, define the group that you wish for
this program to join and click Next.
Step 6 Click Next when the Start Installation screen appears.
Tip You can download the Cisco IEV executable file (IEV-min-5.2-1.exe) and associated readme
file (IEV-5.2-1.readme.txt) from http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev. This URL
requires a Cisco.com login.
Cisco IEV lets you view and manage alert feeds from up to five sensors. The following task
flow outlines the high-level tasks for configuring and working with Cisco IEV:
Task 1 Specify the sensors that you want Cisco IEV to monitor.
Task 2 Configure filters and views to specify the alerts that you want to view.
Task 3 Configure refresh cycle settings and database archival settings and verify
application settings.
Task 5 Maintain the database by importing, exporting, and deleting event data.
4-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Specify the Sensors
File > New > Device
Sensor IP
Address
Sensor Name
Username
Password
Exclude alerts
of following
severity levels
Before Cisco IEV can receive events from a sensor, you must add the sensor to the list of
devices that Cisco IEV monitors.
Step 2 In the Sensor IP Address field, enter the IP address of the sensor that you are adding.
Step 3 In the Sensor Name field, enter the hostname of the sensor that you are adding.
Step 6 In the Web Server Port field, enter the web server port. The default is 443.
Step 7 To specify the communication protocol that Cisco IEV should use when connecting
to the sensor, click the Use Encrypted Connection (https) or Use Non-Encrypted
Connection (http) radio button.
Step 8 Follow these steps to specify what alerts to pull from the sensor:
To exclude alerts of a certain severity level, check one or more of the following
check boxes:
Informational
Low
Medium
High
Step 9 Click OK to apply your changes and close the Device Properties dialog box.
Step 10 Click Yes to accept the certificate and continue the HTTPS connection between
Cisco IEV and the sensor.
Tip The sensor has a red dot next to it signifying that it is connected.
Step 11 Repeat Step 1 through Step 10 for any additional sensors that you want to monitor,
up to five.
Tip If Cisco IEV cannot connect to the sensor, a red X appears next to the device name to
indicate that no connection is present. Cisco IEV continues trying to connect to the sensor
every 20 seconds until a connection is established or until you delete the device from Cisco
IEV.
4-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configure Filters
By Severity
By Src Address
By Signature
By Sensor
Name
By Status
You can create a filter to include or exclude alerts that match a specified trait, such as severity,
signature, or time. Follow these steps to create a filter:
Step 2 To name the filter, enter an alphanumeric text string, up to 64 characters, in the
Filter Name field.
Step 3 To filter alerts by severity, check the By Severity check box in the Filter Functions
area and check one or more of the following severity level check boxes:
Informational, Low, Medium, or High.
Step 4 To filter alerts by source address or destination address, check the By Src Address
or By Dst Address check box, respectively, in the Filter Functions area.
To include an IP address or range, click the Included radio button. To exclude
an IP address or range, click the Excluded radio button.
To specify a single IP address, click the Unique radio button, enter a valid IP
address in the IP Address field, and then click Add.
The IP address is added to the group of addresses excluded or included
(depending on what you selected) by this filter.
To specify a range of IP addresses, click the Range radio button, enter a valid
starting IP address in the Start Address field and a valid ending IP address in the
End Address field, and then click Add.
The IP address range is added to the group of addresses excluded or included
(depending on what you selected) by this filter.
Step 5 Repeat Step 4 to continue adding IP addresses or ranges of IP addresses.
Step 6 To filter alerts by signature, check the By Signature check box in Filter Functions
area and check the following options, as desired:
Step 7 To exclude alerts by sensor, check the By Sensor Name check box in the Filter
Functions area and choose a sensor from the Devices folder.
Step 8 To exclude alerts by time and date, check the By UTC Time check box in the Filter
Functions area.
Enter a valid numerical start date, beginning with the four-digit year, and then
the two-digit month and day in the Start Date field.
Enter a valid start time, beginning with the two-digit hour, and then minute and
seconds in the Start Time field.
Enter a valid numerical end date, beginning with the four-digit year, and then
the two-digit month and day in the End Date field.
Enter a valid end time, beginning with the two-digit hour, and then minute and
seconds in the End Time field.
Step 10 To exclude alerts by status, check the By Status check box in the Filter Functions
area and check one or more of the following status level check boxes:
New
Acknowledged
4-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Assigned
Closed
Deleted
The filter is added to the Filters folder and you can now use it in a view.
Group By
Secondary
Sort Columns
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—4-7
Step 2 To name the view, enter an alpha or numeric text string, up to 64 characters, in the
View Name field.
Step 3 To specify a filter, check the Use Filter check box and choose a filter from the drop-
down list.
Step 4 To specify how alerts are grouped in the table, check a grouping style check box in
the Select the Grouping Style on Alert Aggregation Table area.
Step 5 To specify the columns that should appear in the table, check one or more check
boxes in the Select the Columns Initially Shown on Alert Aggregation Table area.
Step 6 To specify sort order for the columns, choose an option from the Column Secondary
Sort Order (Initially) drop-down list.
Step 7 Click Next.
Step 8 To specify the alerts that should populate this view, choose a source from the
Choose a Data Source drop-down list.
Step 9 To specify the columns that should appear in the alert detail, choose one or more
columns in the Select the Columns Initially Shown on Alert Detail Table area. To
rearrange the order of these columns, click Up or Down.
Step 10 To save your changes and create the view, click Finished.
4-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configure Database and Application
Settings
Edit > Preferences > Refresh
Cycle
Edit >
Application
Settings
Cisco IEV includes a database archival feature that lets you archive real-time events and ensure
available disk space for incoming events. Two thresholds control the archival process. The first
is a time interval and the second is a maximum number of records. Crossing either threshold
triggers the archival process.
If the time interval threshold is crossed, all records with a status matching the archival settings
are moved from the event_realtime_table to archive_table.timestamp. Any alerts with a status
set to Deleted are deleted.
If the maximum records threshold is crossed, any alerts with a status set to Deleted are deleted
from the event_realtime_table. Then, all records with a status matching the archival settings are
moved from event_realtime_table to archive_table.timestamp. If, after the initial archival
Step 3 To specify the alerts that you want to archive, check one or more of the following
alert status check boxes:
New
Acknowledged
Assigned
Closed
Step 4 To enable a time interval threshold, check the Enable Time Schedule for
Archiving Events check box and do one of the following:
To set the archival to occur every 1 to 59 minutes, click the Every radio button
and choose a time from the Minute(s) drop-down list.
To set the archival to occur every 1 to 23 hours, click the Every radio button
and choose a time interval from the Hour(s) drop-down list.
To set the archival to occur once a day, click the Every Day at Time radio
button and choose a specific time from the drop-down list.
When this threshold is met, Cisco IEV begins to archive events to make room for
new events in the event_realtime_table.
Step 6 To specify the maximum number of archived files, enter a numerical value, from 10
to 400, in the Maximum Number of Archived Files field.
When this threshold is met, Cisco IEV begins to compress half of the oldest archived
files and moves them to the compressed directory.
Step 7 To specify the maximum number of compressed archived files, enter a numerical
value, from 10 to 400, in the Maximum Number of Compressed Archived Files
field.
When this threshold is met, Cisco IEV begins to purge half of the oldest compressed
archived files.
Note To maintain available disk space for a full event_realtime_table, Cisco IEV purges
compressed and archived files on a first-in, first-out basis until the available disk space is
greater than three times the space needed.
4-58 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 8 Click OK to apply your changes and save the revised configuration.
Cisco IEV relies on supporting applications to carry out database retrieval and communication
functions. From the Edit menu, you can specify the location of these supporting applications.
Note If Ethereal is installed on your computer when you install Cisco IEV, Cisco IEV detects the
location. You must specify only the location of Ethereal if you later move the Ethereal
executable file to a different directory or if you decide to install Ethereal after installing Cisco
IEV.
Step 2 Enter the path, beginning with the drive letter, to the Ethereal executable file in the
Ethereal Executable File Location field, or click Browse to locate the file.
Step 3 Click OK to accept your changes and close the Application Settings dialog box.
Mail Server
From Address
Recipient Address(es)
Step 4 In the Mail Server (SMTP Host) field, enter the mail server IP address.
Step 5 In the Recipient Address(es) field, enter the e-mail address that should receive the
notifications. You can enter multiple e-mail addresses separated by a semi-colon (;).
Step 6 Click Send a Test Mail to test the recipient e-mail address.
The test e-mail has Alert Test Mail as the subject and contains something similar to
the following:
Will send out notifications for high level alerts whose risk
rating value is 0-100.
Step 7 Check the check boxes for the severity levels of alerts for which you want to receive
notifications.
Note By default, Cisco IEV counts and sends out notifications only for high-level alerts. Cisco IEV
does not summarize or send detailed notifications for alerts that do not fall into the selected
categories.
Step 8 In the Risk Rating Range field, you can change the default risk rating range (0–100).
4-60 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 9 In the Notification Interval field, you can change the default interval of 10 minutes.
The valid range is 1 to 1440 minutes.
Step 10 Under Notification Type, check the check box of the type of notifications that you
want to receive. Both the Send Summarized Notifications and Send Detailed
Notifications check boxes are checked by default.
Step 11 In the Maximum Number of Detailed Notifications per Interval field, you can
change the default of 10. The valid range is 1 to 100.
Step 12 In the Content Contains field, check the check boxes of the fields that you want the
detailed notifications to contain.
Step 13 Click OK to apply your changes and save the revised configuration.
Note If you want Cisco IEV to send out notifications for certain severity level alerts, ensure that
they are not marked as excluded in the Device Properties dialog box. Cisco IEV must
receive those alerts before it can send out notifications for them.
You can export data from the Cisco IEV tables to an ASCII file. Follow these steps to export a
table:
Step 1 Choose File > Database Administration > Export Database Tables.
Step 2 To specify where to store the exported table, click Browse and choose a directory
for the file.
Step 3 To name the exported file, enter a name in the ASCII File Name field.
Step 4 Choose the tables to export to the ASCII file. To choose multiple tables, hold down
the Ctrl key and click the names of the tables that you want to include.
Note By default, tables are exported in the Cisco IEV Version 5.2 format. This option appears
dimmed.
Step 5 To specify how the table fields are separated in ASCII format, choose the Separate
by Comma or Separate by TAB radio button in the How to Separate Fields in
ASCII File area.
You can delete an existing table from the list of available data sources for a view. Follow these
steps to delete a table from the data source repository:
Step 1 Choose File > Database Administration > Data Source Information.
Step 2 Choose the row corresponding to the table that you want to delete, and then click
Delete.
4-62 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 3 Click Yes to remove the table from the data source repository.
Alerts with a status set to Deleted are removed from the table.
Tip To delete rows from a table associated with an open view, choose the rows that you want to
delete and then right-click the first column of the table and choose Delete Row(s) from
Database.
Step 3 To delete all alerts from a table associated with an open view, right-click the tab for
the view, and choose Delete All Rows from Database.
Note You can delete a single row from an Alarm Aggregation table, the Expanded Details Dialog
table, or the Drill-Down Dialog table.
Viewing Events
You can use the Realtime Dashboard to view a continuous stream of real-time events from the
sensor.
Cisco IEV opens a subscription request with the sensor. If the connection is
successful, the Realtime Dashboard appears and displays the most recent events
received by the sensor since the request was opened.
You can view events in the Realtime Graph or the Statistical Graph. Each graph
provides a view of the average number of alerts per minute, based on severity level.
However, each graph represents a different data source and therefore a different view
into the events.
4-64 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IEV queries the data source for the chosen view and calculates the
average alerts per minute. The Statistical Graph appears and displays the result.
Step 3 To change the range of events displayed in the graph, follow these steps:
Specify the time span by which you want to advance the view.
To adjust the start time by the interval selected in the Switched Port Analyzer
(SPAN), use the forward and backward arrows.
Step 4 To change the presentation to a bar or area graph, click Bar or Area.
Signature Source
ID Address
You can use the Realtime Dashboard to view a continuous stream of real-time events from the
sensor.
The Cisco IEV opens a subscription request with the sensor. If the connection is
successful, the Realtime Dashboard appears and displays the most recent events
received by the sensor since the request was opened.
The Cisco IEV stops populating the Realtime Dashboard with events.
Step 3 To resume the stream of real-time events, click Resume.
The Cisco IEV populates the Realtime Dashboard with events, beginning with the
first event that was received after the stream was paused.
Step 4 To clear all existing events from the Realtime Dashboard, click Reconnect.
All existing events are removed from the Realtime Dashboard and Cisco IEV opens
a new subscription with the sensor.
4-66 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Realtime Graph
Bar Graph
Area
Graph
You can view events in a real-time graph or statistical graph. Each graph provides a view of the
average number of alerts per minute, based on the severity level. However, each graph
represents a different data source and therefore a different view into the events.
A continuously running thread in Cisco IEV populates the Realtime Graph. This thread
continuously monitors and aggregates the total number of alerts that Cisco IEV receives. The
events that the Realtime Graph displays reflect the average number of alerts received by Cisco
IEV. The time stamp for these events reflects the time that Cisco IEV received the alert, not
necessarily the time that the sensor generated the alert.
The Statistical Graph is populated with events from the data source that you choose. Valid data
sources include the event_realtime_table, any archived table, or any imported table. The events
displayed in the Statistical Graph reflect the average number of alerts received by Cisco IEV,
based on the filter that is applied to the data source. Therefore, depending on the filter, the
Statistical Graph may not reflect the true average number of alerts. The time stamp for these
events reflects the time the sensor generated the alert.
2. Double-click the Views folder and locate the view that contains the alert data
you want to display in a graph.
2. To adjust the start time by the interval selected in SPAN, use the forward and
backward arrows.
Step 4 To change the presentation to a bar or area graph, click Bar or Area.
4-68 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Generate Reports
Follow these steps to generate a report with the top 10 most common alerts:
Step 4 In the drop-down list, specify how far back in time you want to gather the most
common alerts.
Step 5 Click Generate Report.
The Reporting Devices folder displays the sensors that have the 10 most common alerts. ALL
displays the 10 most common alerts for all the sensors.
Step 1 Double-click an individual sensor or ALL under the Reporting Devices folder to
display the 10 most common alerts.
Step 3 To obtain details about a common alert, right-click the alert in the list, and choose
Show Details. You can also double-click the row in the list to show the details.
Step 4 The Alarm Information Dialog appears with the list of all occurrences of that alert.
Note Up to 30,000 alerts are displayed. If the count value of the selected row is more than the
30,000 limit, you receive a warning message and then the most recent 30,000 entries are
displayed.
Top
Attackers
Top
Victims
Step 4 In the drop-down list, specify how far back in time you want to gather the top most
common attacker IP addresses.
Step 5 Click Generate Report.
Step 6 Double-click the individual sensor or ALL under the Reporting Devices folder to
display the 10 most common attackers.
Step 7 To save the report in a text file, click Save.
Step 8 To obtain details about an attacker, right-click the attacker IP address in the list, and
choose Show Details.
You can also double-click the row in the list to show the details.
The Alarm Information Dialog appears with the list of all occurrences of that source
IP address.
4-70 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Security Management Suite Overview
This topic explains the Cisco Security Management Suite, its features, benefits, and
specifications.
The Cisco Security Management Suite is a framework of products and technologies designed
for scalable policy administration and enforcement for the Cisco Self-Defending Network. This
integrated solution can simplify and automate the tasks associated with security management
operations, including configuration, monitoring, analysis, and response. There are two main
components of the Cisco Security Management Suite:
Cisco Security Manager: A powerful but easy-to-use solution for configuring firewall,
virtual private network (VPN), and IPS policies on Cisco security appliances, firewalls,
routers, and switch modules
Cisco Security Monitoring, Analysis, and Response System (MARS): An appliance-
based, all-inclusive solution that allows network and security administrators to monitor,
identify, isolate, and counter security threats
Cisco Security Manager is a powerful but very easy-to-use solution to centrally provision all
aspects of device configurations and security policies for the Cisco family of security products.
The solution is effective for managing even small networks consisting of fewer than 10 devices,
but also scales to efficiently manage large-scale networks composed of thousands of devices.
Scalability is achieved through intelligent policy-based management techniques that can
simplify administration. Some of the features of Cisco Security Manager include the following:
Supports provisioning for Cisco router platforms running a Cisco IOS Software image,
Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security
Appliances, Cisco IPS 4200 Series Sensors, and Cisco Catalyst 6500 Series IDSM-2
Responds faster to threats; defines and assigns new security policies to thousands of
devices in a few simple steps
Rich graphical user interface provides superior ease-of-use
Multiple views provide flexible methods to manage devices and policies, including the
ability to manage the security network visually on a topology map
Extensive animated help for the new user, which reduces the learning time
Allows you to centrally specify which policies are shared and automatically inherited by
new devices to ensure corporate policies are implemented consistently, while providing
optional flexibility
Integrates with Cisco Secure Access Control Server (ACS) for granular roll-based access
control (RBAC) to devices and management functions
Integrates with Cisco Security MARS to correlate events with the associated firewall rules
to help with quicker decision making and increased network uptime
Has ability to assign specific tasks to each administrator during the deployment of a policy,
with formal change control and tracking; allows the security and network operations staff
to work together as a single team with effective coordination
4-72 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tip For additional training on Cisco Security Manager go to
http://www.cisco.com/web/learning/le31/le29/learning_training_from_cisco_learning_partners.
html.
Cisco Security MARS provides security monitoring for network security devices and host
applications made by Cisco and other providers. Cisco Security MARS offers these benefits:
Greatly reduces false positives by providing an end-to-end view of the network
Defines the most effective mitigation responses by understanding the configuration and
topology of your environment
Promotes awareness of environmental anomalies with network behavior analysis using
NetFlow
Provides quick and easy access to audit compliance reports with more than 150 ready-to-
use customizable reports
Makes precise recommendations for threat removal, including the ability to visualize the
attack path and identify the source of the threat with detailed topological graphs that
simplify security response at Layer 2 and above
Note Each signature now contains a new parameter, MARS Category, which contains the list of
the Cisco Security MARS attack categories associated with the signature. This category is
included in the signature alerts. You can modify the MARS Category for custom signatures
but not for built-in signatures.
4-74 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
External Product Interface
This topic explains the external product interface, its benefits, and specifications.
The external product interface is designed to receive and process information from external
security and management products. These external security and management products collect
information that can be used to automatically enhance the sensor configuration information. For
example, the types of information that can be received from external products include host
profiles, including the operating system configuration of the host, application configuration,
and security posture, and IP addresses that have been identified as causing malicious network
activity.
Note In Cisco IPS Sensor Software Version 6.0, you can add only interfaces to the CiscoWorks
Management Center for Cisco Security Agent.
External
Product
Interface
Add
Step 1 Log into Cisco IPS Device Manager (IDM) using an account with administrator
privileges.
Step 2 Click Configuration and choose External Product Interfaces.
Step 3 From the Management Center for Cisco Security Agents panel, click Add to add an
external product interface.
4-76 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Add External Product Interface
Step 4 In the External Product IP Address field, enter the IP address of the external product.
Step 5 Check the Enable Receipt of Information check box to allow information to be
passed from the external product to the sensor.
Step 6 In the Port field, change the default port 443 if you need to.
Note Under Communication Settings, you can change only the Port value.
Note If you do not check the Enable Receipt of Watch List check box, the watch list information
received from a CiscoWorks Management Center for Cisco Security Agent is deleted.
In the Manual Watch List RR Increase field, you can change the percentage
from the default of 25. The valid range is 0 to 35.
In the Session-Based Watch List RR Increase field, you can change the
percentage from the default of 25. The valid range is 0 to 35.
Step 9 Check the Enable Receipt of Host Postures check box to allow the host posture
information to be passed from the external product to the sensor.
Note If you do not check the Enable Receipt of Host Postures check box, the host posture
information received from a CiscoWorks Management Center for Cisco Security Agent is
deleted.
Step 10 Check the Allow Unreachable Hosts’ Postures check box to allow the host posture
information from unreachable hosts to be passed from the external product to the
sensor.
Note A host is not reachable if the CiscoWorks Management Center for Cisco Security Agent is
unable to establish a connection with the host on any of the IP addresses in the host
posture. This option is useful in filtering the postures whose IP addresses may not be visible
to the sensor or may be duplicated across the network. This filter is most applicable in
network topologies where hosts that are not reachable by the CiscoWorks Management
Center for Cisco Security Agent are also not reachable by the sensor; for example if the
sensor and CiscoWorks Management Center for Cisco Security Agent are not on the same
network segment.
Note Posture ACLs are network address ranges for which host postures are allowed or denied.
Use posture ACLs to filter postures that have IP addresses that may not be visible to the
sensor or may be duplicated across the network.
4-78 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Add Host Posture ACL
Step 12 In the Name field, enter a name for the posture ACL.
Step 13 In the Active field, click the Yes radio button to make the posture ACL active.
Step 14 In the Network Address field, enter the network address that the posture ACL will
use.
Step 15 In the Action drop-down list, choose the action (Deny or Permit) that the posture
ACL will take.
Step 16 Click OK.
CiscoWorks Management Center for Cisco Security Agent receives host posture information
from the Cisco Security Agent software that it manages. It also maintains a watch list of IP
addresses that it has determined should be quarantined from the network.
Note The host posture and watch list IP address information is not associated with a virtual
sensor, but is treated as global information.
CiscoWorks Management Center for Cisco Security Agent sends two types of events to the
sensor—host posture events and quarantined IP address events. Host posture events contain the
following information:
Unique host ID assigned by CiscoWorks Management Center for Cisco Security Agent
Cisco Security Agent status
Host system hostname
Set of IP addresses enabled on the host
Cisco Security Agent software version
Cisco Security Agent polling status
Cisco Security Agent test mode status
Network Admission Control (NAC) posture
4-80 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The quarantined IP address events contain the following information:
Reason for the quarantine
Protocol associated with a rule violation (TCP, UDP, or Internet Control Message Protocol
[ICMP])
Indicator of whether a rule-based violation was associated with an established session or a
UDP packet.
The sensor uses the information from these events to determine the risk rating increase based
on the information in the event and the risk rating configuration settings for host postures and
quarantined IP addresses.
Host
External Postures Security
Product as Policy
Interface CSAEE
Events
Events
Quarantined
IP Addresses
as CSAEE
Events
Management Center for Cisco
Security Agent
with Internal or External
Database
Cisco Security Agent software installed on hosts report attack information to the CiscoWorks
Management Center for Cisco Security Agent. Once integrated into the IPS installation, the
CiscoWorks Management Center for Cisco Security Agent sends host postures and quarantined
IP addresses to the external product interface component of the sensor. That component
converts the host postures to operating system identifications. It also calculates the risk rating
delta for quarantined IP addresses. These are then forwarded to the SensorApp for processing
as a signature alert.
4-82 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
External Product Interface Collaboration
Naming Conventions
The vocabulary of the two technologies, CiscoWorks Management Center for Cisco Security
Agent and the Cisco IPS Sensor, differs on key points. What the Cisco IPS sensor processes as
the operating system identification, the CiscoWorks Management Center for Cisco Security
Agent calls a host posture. The Cisco IPS sensor watch list is referred to as quarantined IP
addresses by CiscoWorks Management Center for Cisco Security Agent.
Cisco ICS is a server-based software application that helps you manage your incident control
initiatives. Built on incident-control technology from Trend Micro, Cisco ICS gives you the
means to protect your organization from newly discovered network-based threats.
Use the Cisco ICS web console to manage the Cisco ICS server and perform the following
tasks:
Deploy policies to Cisco network devices to block the traffic and ports that network-based
threats use to propagate
Create reports about the tasks that you create to address threats on your network
Use logs to analyze your protection
Configure notifications to alert you about threat-related events and Cisco ICS threat-
protection updates
Clean up infected hosts to remove viruses and other threats
4-84 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ICS Technology
The Cisco ICS is a means to control the outbreak of network-based threats on your network.
The incident control system is managed by a central server, the Cisco ICS server, and uses
threat-specific ACLs and signature files to help identify network threats and mitigate the effects
of outbreaks. With these components, your Cisco network devices can become defense nodes
against new outbreaks.
You can deploy Outbreak Prevention ACLs (OPACLs) and Outbreak Prevention Signatures
(OPSigs) from the web console when you create items called outbreak management tasks or
when you enable Cisco ICS to automate the creation of tasks.
Modifications to OPACL
and Exception List
Log and
Watch List Switch IPS
Information
TrendLabs Cisco ICS
Outbreak OPACL
Management Task
OPSig OPSig
m up
d
an
om n
Outbreak
C le a
s
tu
C
ta
Router Cisco
tS
s
Ho IOS IPS
Infection Status
DCS Server
Damage Cleanup
Host Computers
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—4-28
Soon after Trend Micro TrendLabs discovers a new threat, the following sequence of events
takes place:
Step 1 TrendLabs releases an outbreak management task file that contains an OPACL to
address the new threat.
Step 2 As the Cisco ICS server polls the update source for new components, it discovers
that the new outbreak management task is available.
Step 3 Cisco ICS downloads the new outbreak management task file.
Step 5 Your Cisco network devices block the ports and the types of traffic specified in the
OPACL until the OPACL expires.
Step 6 Approximately two hours after TrendLabs releases the OPACL, it releases an
OPSig, which enables IPS devices to detect the new threat and other threats that
TrendLabs discovered.
Step 7 Cisco ICS downloads and deploys the OPSig to Cisco IPS devices. The OPACL for
the threat expires on all devices when Cisco ICS deploys the OPSig.
Step 8 While they scan network traffic, Cisco IPS devices use the OPSig to identify any
threats that might attack the network.
Step 9 If a Cisco IPS device detects a threat in the network traffic from a certain host, Cisco
ICS considers the host to be potentially infected and puts it on a watch list. You can
view the watch list to see which hosts on your network need attention.
Step 10 If you installed Damage Cleanup Services (DCS), you can run a Damage Cleanup
scan on the potentially infected host to attempt to remove the threat.
4-86 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Summary
Overview
This lesson focuses on configuring different instances of virtual sensors. It will include a
discussion of interfaces, signatures, event rules, and anomaly detection.
Objectives
Upon completing this lesson, you will be able to explain the virtual sensor, its settings, and
advantages. This ability includes being able to meet these objectives:
Explain the principles behind virtual sensors
Prepare for creating virtual sensors by creating inline pairs, signature polices, event action
rules, and anomaly detection policies
Create a virtual sensor by giving it a name and assigning interfaces
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Virtual Sensor Overview
This topic describes the principles behind virtual sensors.
The sensor can receive data inputs from one or many monitored data streams. These monitored
data streams can either be physical interface ports or virtual interface ports. For example, a
single sensor can monitor traffic from in front of the firewall, from behind the firewall, or from
in front of and behind the firewall concurrently. And a single sensor can monitor one or more
data streams. In this situation, a single sensor policy or configuration is applied to all monitored
data streams.
A virtual sensor can monitor multiple segments, and let you apply a different policy or
configuration for each virtual sensor within a single physical sensor. You can set up a different
policy per monitored segment under analysis. You can also apply the same policy instance, for
example, sig0, rules0, or ad0, to different virtual sensors.
You can assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a
virtual sensor.
Note The default virtual sensor is “vs0.” You cannot delete the default virtual sensor.
4-90 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Virtual Sensor Restrictions
Among older sensors, the Cisco IDS 4235 and Cisco IDS 4250
XL Sensors support multiple virtual sensors.
The Cisco IPS 4240, Cisco IPS 4255, and Cisco IPS 4260
Sensors fully support multiple virtual sensors.
The Cisco Catalyst 6500 Series IDSM-2 supports multiple virtual
sensors except for VLAN groups on inline interface pairs.
The Cisco ASA AIP-SSM does not support multiple virtual
sensors until Cisco ASA Software Version 8.0.
The Cisco IDS 4215 Sensor supports a single virtual sensor
because of limited memory.
There is a maximum of four virtual sensors on all platforms that
support multiple virtual sensors.
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module 2 (IDSM-2)
supports virtualization with the exception of VLAN groups on inline interface pairs. The Cisco
IDS 4215 Sensor supports only one virtual sensor.
4-92 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Virtual Sensor Advantages
Interfaces
The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows
through specified interfaces.
Virtualization requires that the sensor is running in inline mode. It also requires 802.1Q
tagging. Therefore, the only interface configurations that virtual sensors support are inline
interface pairs, inline VLAN pairs, and VLAN groups.
Packets from interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups that are
not assigned to any virtual sensor are disposed of according to the inline bypass configuration.
4-94 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding Inline VLAN Pairs
Physical Interface
Subinterface Number
VLAN A
VLAN B
Step 1 From the VLAN Pairs window, choose the VLAN pair that you wish to edit, and
click Edit.
Step 2 You can change the subinterface number, the VLAN numbers, or edit the
description.
Step 3 Click OK.
To delete a VLAN pair, choose the VLAN and follow these steps:
Step 2 Click Apply to apply your changes and save the revised configuration.
Physical Interface
Subinterface Number
All VLANs
Specific VLANs
Because a VLAN group of an inline pair does not translate the VLAN ID (VID), an inline pair
interface must exist between two switches to use VLAN groups on a logical interface. For an
appliance, you can connect the two pairs to the same switch, make them access ports, and then
set the access VLANs for the two ports differently. In this configuration, the sensor connects
between two VLANs, because each of the two ports is in access mode and carries only one
VLAN. In this case, the two ports must be in different VLANs, and the sensor bridges the two
VLANs, monitoring any traffic that flows between the two VLANs. Cisco Catalyst 6500 Series
IDSM-2 also operates in this manner, because its two data ports are always connected to the
same switch.
You can also connect appliances between two switches. There are two variations to this. In the
first variation, the two ports are configured as access ports, so they carry a single VLAN. In this
way, the sensor bridges a single VLAN between the two switches.
In the second variation, the two ports are configured as trunk ports, so they can carry multiple
VLANs. In this configuration, the sensor bridges multiple VLANs between the two switches.
Because multiple VLANs are carried over the inline interface pair, the VLANs can be divided
into groups and each group can be assigned to a virtual sensor.
Step 1 Log into the Cisco IDM using an account with administrator privileges.
Step 5 In the Subinterface Number field, enter a subinterface number (1 to 255) for the
VLAN group.
4-96 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 6 Under the VLAN Group section, specify the VLAN group for this interface by
checking one of the following check boxes:
— Unassigned VLANs: This lets you assign all of the VLANs that are not already
specifically assigned to a subinterface.
— Specify VLAN Group: This lets you specify the VLANs that you want to assign to
this subinterface. You can assign more than one VLAN (1 to 4096) in this pattern: 1,
5-8, 10-15. This option lets you set up different policies based on the VID. For
example, you can make VLANs 1 to 10 go to one virtual sensor (VS0) and VLANs
20 to 30 go to another virtual sensor (VS1).
Note In the Specify VLAN Group field you must enter the VIDs as they appear on your switch.
Step 7 If you want to, you can add a description of the VLAN group in the Description
field.
The new VLAN group appears in the list in the VLAN Groups pane. You must assign this
VLAN group to a virtual sensor.
In the Signature Definitions pane, you can add, clone, or delete a signature definition policy.
The default signature definition policy is called sig0. When you add a policy, a control
transaction is sent to the sensor to create the new policy instance. If the response is successful,
the new policy instance is added under Signature Definitions. If the control transaction fails, for
example because of resource limitations, an error message appears.
If your platform does not support virtual policies, this means that you can have only one
instance for each component and you cannot create new ones or delete the existing one. In this
case, the Add, Clone, and Delete buttons are disabled.
Note You must be an administrator or operator to add, clone, or delete signature policies.
4-98 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding Signature Policies
Signature Policy
Name
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 4 In the Policy Name field, enter a name for the signature definition policy.
Step 6 To clone an existing signature definition policy, choose it in the list, and then click
Clone.
Note The Clone Policy dialog box appears with “_copy” appended to the existing signature
definition policy name.
In the Event Action Rules pane, you can add, clone, or delete an event action rules policy. The
default event action rules policy is called rules0. When you add a policy, a control transaction
is sent to the sensor to create the new policy instance. If the response is successful, the new
policy instance is added under Event Action Rules. If the control transaction fails, for example
because of resource limitations, an error message appears.
If your platform does not support virtual policies, this means that you can have only one
instance for each component and you cannot create new ones or delete the existing one. In this
case, the Add, Clone, and Delete buttons are disabled.
4-100 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding Event Rule Policies
Rule Policy Name
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Policies > Event Action Rules.
Step 4 Enter a name for the event action rules policy in the Policy Name field.
Step 6 To clone an existing event action rules policy, choose it in the list, and then click
Clone.
Note The Clone Policy dialog box appears with “_copy” appended to the existing event action
rules policy name.
In the Anomaly Detections pane, you can add, clone, or delete an anomaly detection policy.
The default anomaly detection policy is called ad0. When you add a policy, a control
transaction is sent to the sensor to create the new policy instance. If the response is successful,
the new policy instance is added under Anomaly Detections. If the control transaction fails, for
example because of resource limitations, an error message appears.
If your platform does not support virtual policies, this means that you can have only one
instance for each component and you cannot create new ones or delete the existing one. In this
case, the Add, Clone, and Delete buttons are disabled.
Note Anomaly detection is covered in more depth in the “Configuring Advanced Features” lesson.
4-102 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding Anomaly Detection Policies
Anomaly Detection
Policy Name
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 4 In the Policy Name field, enter a name for the anomaly detection policy.
Step 6 To clone an existing anomaly detection policy, choose it in the list, and then click
Clone.
Note The Clone Policy dialog box appears with “_copy” appended to the existing anomaly
detection policy name.
Virtual Sensor
You create virtual sensors in the Analysis Engine. Each virtual sensor has a unique name with a
list of interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with
it. To avoid definition ordering issues, no conflicts or overlaps are allowed in assignments—
you assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a specific
virtual sensor so that no packet is processed by more than one virtual sensor. Each virtual
sensor is also associated with a specifically named signature definition, event action rules, and
anomaly detection configuration. Packets from interfaces, inline interface pairs, inline VLAN
pairs, and VLAN groups that are not assigned to any virtual sensor are disposed of according to
the inline bypass configuration.
4-104 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding a Virtual Sensor
Virtual Sensor Name Signature Policy
Rule Policy
Anomaly
Detection
Policy
Interfaces
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Analysis Engine > Virtual Sensors.
Step 4 Enter a name for the virtual sensor in the Virtual Sensor Name field.
Step 5 Choose a signature definition policy from the Signature Definition Policy drop-
down list.
Tip Unless you want to use the default sig0, you must have already added a signature definition
policy by choosing Configuration > Policies > Signature Definitions > Add.
Step 6 Choose an event action rules policy from the Event Action Rules Policy drop-down
list.
Tip Unless you want to use the default rules0, you must have already added an event action
rule by choosing Configuration > Policies > Event Action Rules > Add.
Step 7 Chose an anomaly detection policy from the Anomaly Detection Policy drop-down
list.
Tip Unless you want to use the default ad0, you must have already added an anomaly detection
policy by choosing Configuration > Policies > Anomaly Detections > Add.
Step 10 To assign the interface to the virtual sensor, choose it and click Assign.
Note Only the available interfaces are listed in the Available Interfaces list. If other interfaces exist
but have already been assigned to a virtual sensor, they do not appear in this list.
4-106 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Configuring Advanced
Features
Overview
This lesson presents two new advanced features to the Cisco Intrusion Prevention System (IPS)
product line: anomaly detection and passive operating system fingerprinting (POSFP). These
features provide significant worm protection and alarm relevance in addition to IPS.
Objectives
Upon completing this lesson, you will be able to explain, configure, and monitor anomaly
detection and POSFP. This ability includes being able to meet these objectives:
Explain the principles behind anomaly detection
Explain the components used by anomaly detection
Configure anomaly detection
Monitor and troubleshoot problems with anomaly detection
Explain the principles behind POSFP
Explain the different methods available to identify operating systems
Explain the available configuration options for POSFP
Examine the results of POSFP
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Anomaly Detection Overview
This topic describes the principles behind anomaly detection.
The anomaly detection component of the sensor detects worm-infected hosts. Anomaly
detection enables the sensor to be less dependant on signature updates for protection against
worm viruses, such as Code Red, SQL Slammer, and so on. The anomaly detection component
lets the sensor learn normal activity, send alerts, and take dynamic response actions for
behavior that deviates from what it has learned as normal behavior.
Note Anomaly detection does not detect e-mail-based worms, such as Melissa.
Worm viruses are automated, self-propagating, intrusion agents that copy themselves and then
facilitate their spread. Worm viruses attack a vulnerable host, infect it, and then use it as a base
to attack other vulnerable hosts. They search for other hosts by using a form of network
inspection, typically a scan, and then propagate to the next target. A scanning worm virus
locates vulnerable hosts by generating a list of IP addresses to probe, and then contacts the
hosts. Code Red worm, Sasser worm, Blaster worm, and the SQL Slammer worm are examples
of worms that spread in this manner.
4-110 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Anomaly Detection Objectives
The events that are important to monitor for on the TCP protocol are nonestablished
connections, such as a synchronize/start (SYN) packet that has not received its SYN-
acknowledgment (ACK) response for a given amount of time. A worm-infected host that scans
using TCP protocol generates nonestablished connections on the same destination port for an
anomalous number of IP addresses.
The events that are important to monitor for on the UDP protocol are unidirectional
connections, such as a UDP connection where all of the packets are going only in one direction.
A worm-infected host that scans using the UDP protocol generates UDP packets but does not
receive UDP packets on the same quad within a certain time period on the same destination
port for multiple destination IP addresses.
The events that are important to monitor for other protocols, such as Internet Control Message
Protocol (ICMP), are events from a source IP address to many different destination IP
addresses (that is, packets that are received in only one direction).
Caution If a worm virus has a list of IP addresses that it should infect and does not have to use
scanning to spread itself (for example, it uses passive mapping—listening to the network as
opposed to active scanning), it will not be detected by the worm policies of anomaly
detection. Worm viruses that receive a mailing list from probing files within the infected host
and e-mail this list will not be detected, because no Layer 3 or Layer 4 anomaly is
generated.
Scanners
A scanner is a source IP address that generates events on the same destination port (in TCP or
UDP) for too many destination IP addresses. A scanner should not be confused with an
attacker. Typical attackers use a variety of IP addresses to avoid prosecution. Simply put, one
attacker may actually be represented as dozens or even hundreds of scanners.
4-112 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Histograms
# Source IP addresses A B C
# Destination IP
5 20 100
addresses
In the chart, the first column represents a certain number of sources, scanning five different
destinations, where A represents the number of sources. The second column represents a certain
number of sources, scanning 20 different targets, where B represents the number of sources.
The last column is a certain number of sources, scanning 100 different targets, where C
represents the number of sources. Collectively, it represents frequency distributions.
In the example, the roles of the histogram and scanner thresholds are combined. Given a
scanner threshold of 120, the example says that not more than 120 incomplete connections to
different destinations are expected to be seen. If that occurs, a signature fires.
The histogram defines the rest of the expectations. This histogram does not expect to see 18
different scanners, each with 5 or more destination addresses. It also does not expect to see 6
different scanners, each with 20 or more destination addresses.
Finally, this histogram example does not expect to see 2 different scanners generate incomplete
connections to 100 or more different destinations.
4-114 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Zones
A zone is a set of destination IP addresses. By subdividing the network into zones, you can
achieve a lower false negative rate. There are three types of zones, each with its own
thresholds: internal, external, and illegal.
The external zone is the default zone with the default Internet range of 0.0.0.0-
255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that
do not match the set of IP addresses in the internal or illegal zone are handled by the external
zone.
It is recommended that you configure the internal zone with the IP address range of your
internal network. If you configure the internal zone in this way, the internal zone is all of the
traffic that comes to your IP address range, and the external zone is all of the traffic that goes to
the Internet.
You can configure the illegal zone with IP address ranges that should never be seen in normal
traffic, for example, unallocated IP addresses, or part of your internal IP address range that is
unoccupied. An illegal zone can be very helpful for accurate detection, because no legal traffic
is expected to reach this zone. This configuration allows very low thresholds, which in turn, can
lead to very quick worm virus detection.
Configuration
Anomaly
Detections:
ad0
Internal Illegal External
Zone Zone Zone
You enable the zone from the General tab. If the zone is disabled, packets to this zone are
ignored. By default, the zone is enabled.
Next, you add the IP addresses that belong to this zone. If you do not configure IP addresses for
all zones, all packets are sent to the default zone, which is the external zone.
4-116 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Learning
Anomaly detection initially conducts a “peacetime” learning process when the most normal
state of the network is reflected. Anomaly detection then derives a set of policy thresholds that
best fit the normal network. This learning is done in two phases:
Learn mode
Detect mode
In the initial setup, the sensor is in learning mode. It is assumed that during this phase no attack
is being carried out. Anomaly detection creates an initial baseline of the network traffic. This
initial baseline is known as a knowledge base. The default amount of time for anomaly
detection to be in the learning mode is 24 hours, but depending on your network complexity,
you may want to change this default. After the learning mode time has expired, you terminate
this phase by configuring anomaly detection to operate in detect mode.
For ongoing operation, the sensor is in learning plus detecting mode. The sensor is in this state
24 hours, 7 days a week. Once the sensor creates a knowledge base, anomaly detection detects
attacks based on the knowledge base. The sensor looks at the network traffic flows that violate
thresholds in the knowledge base and sends alerts. As anomaly detection looks for anomalies, it
also records gradual changes to the knowledge base that do not violate the thresholds and thus
creates a new knowledge base. The new knowledge base is periodically saved and takes the
place of the old one, thereby maintaining an up-to-date knowledge base.
By default, anomaly detection functions even if you do not follow the two phases and manually
change the operational mode from learning to detect. Anomaly detection does not detect attacks
when working with the initial knowledge base, which is empty. After the default of 24 hours,
the default operational mode is changed to detect. A knowledge base is saved and loaded, and
anomaly detection now also detects attacks.
Note Allowing the sensor to learn for more than 24 hours results in fewer false positives.
4-118 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Operational Mode to Learn
Edit Virtual
Sensor AD
Operational
Mode
Step 1 Log into the Cisco IPS Device Manager (IDM) using an account with administrator
or operator privileges.
Step 2 Click Configuration and choose Analysis Engine > Virtual Sensors.
Step 3 To edit a virtual sensor, choose the virtual sensor and click Edit.
Anomaly detection monitors the network traffic and looks for worms
and scanners.
Anomaly detection compares traffic to the knowledge base histogram
and scanner threshold.
Once a scanner threshold is violated, an alert is triggered for the
appropriate signature.
Once a histogram threshold is crossed, the service is considered to
be under worm attack.
– Anomaly detection tries to detect infected hosts.
– The service scanner threshold is changed to the histogram bucket
value (5, 20, or 100).
Learning is aborted when an attack is detected.
Learning is resumed after no attacks are detected for a configurable
time period.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—4-12
Anomaly detection monitors the network, constantly looking for worms and scanners. Once the
scanner threshold is crossed, an alert is triggered. When a histogram threshold is crossed, the
scanner is assumed to be a worm. During the time that the sensor believes there is a worm
attack, learning is suspended, so the anomalous traffic is not calculated as part of “normal”
traffic. Because learning is suspended, the learned baseline of “normal” traffic should not be
affected.
Once the worm attack is over, learning resumes. The time period for resuming learning is
configurable.
Note When the virtual sensor is in detect mode, learned thresholds can only go higher.
4-120 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Detection Example
# Source IP
18 6 2
addresses
# Destination IP
5 20 100
addresses
Scanner Threshold = 145
The scanner threshold in the example is set to 145, which means that any single scanner that
scans 145 or more hosts will be detected. An alert is fired at this point.
When more than 6 hosts scan 20 or more targets, a worm is presumed, and the scanner
threshold reduces to 20. However, no alert is fired. From now until the end of the attack, every
host that scans 20 or more destinations is detected as part of the worm attack.
Edit Virtual
Sensor
AD
Operational
Mode
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Analysis Engine > Virtual Sensors.
Step 3 To edit a virtual sensor, choose the virtual sensor and click Edit.
4-122 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signatures
The Traffic Anomaly engine contains nine anomaly detection signatures covering three
protocols: TCP, UDP, and Other. Each signature has two subsignatures, one for the scanner and
the other for the worm-infected host, or a scanner under worm attack. When anomaly detection
discovers an anomaly, it triggers an alert for these signatures. All anomaly detection signatures
are enabled by default and the alert severity for each one is set to High.
When a scanner is detected but no histogram anomaly has occurred, the scanner signature fires
for that attacker (scanner) IP address. If the histogram signature is triggered, the attacker
addresses that are doing the scanning each trigger the worm signature, instead of the scanner
signature. The alert details define which threshold is being used for the worm detection now
that the histogram has been triggered. From that point on, all scanners are detected as worm-
infected hosts.
4-124 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Subsignature Name Description
ID ID
Deny Attacker
Inline
All of these anomaly detection signatures are enabled by default and the alert severity for each
one is set to High. It is recommended that you configure the anomaly detection signature to
include Deny Attacker Inline.
4-126 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Anomaly Detection
This topic describes how to configure anomaly detection.
Configuration
On sensors with multiple virtual sensors configured, it is possible to have multiple anomaly
detection instances, each configured differently. The following are settings that are unique to
each instance of anomaly detection:
Scheduler
Zones IP addresses
IP addresses to ignore
Service histograms and scanner thresholds
Anomaly
Detections
Anomaly Detection
Policy Name
In the Anomaly Detections pane, you can add, clone, or delete an anomaly detection policy.
The default anomaly detection policy is called ad0. When you add a policy, a control
transaction is sent to the sensor to create the new policy instance. If the response is successful,
the new policy instance is added under Anomaly Detections. If the control transaction fails, for
example because of resource limitations, an error message appears.
If your platform does not support virtual policies, you can have only one instance for each
component, and you cannot create new ones or delete the existing one. In this case, the Add,
Clone, and Delete buttons are disabled.
Note Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services
Module (ASA AIP-SSM) Software before Version 8.0 and Cisco Intrusion Detection System
(IDS) Network Module do not support sensor virtualization and therefore do not support
multiple policies.
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 4 In the Policy Name field, enter a name for the anomaly detection policy.
4-128 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Anomaly Detection Configuration
Procedure
You can use the default anomaly detection policy, ad0, or you can configure
a new one.
Step 4 Let the sensor run in learning mode for at least 24 hours (the default).
Note It is recommended that you leave the sensor in learning mode for at least 24 hours. If you
can let the sensor run in learning mode for longer, even up to a week, that is better.
After the time period identified for learning, the sensor saves the initial knowledge
base as a baseline of the normal activity of your network.
Step 5 Switch the sensor from learning mode to detection mode.
Note Step 5 is not necessary in a production environment. Anomaly detection will automatically
switch from learning to detection mode after the configured time has elapsed.
4-130 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Add Anomaly Detection to Virtual Sensor
Edit Virtual
Sensor AD Operational
Mode
to Inactive
Anomaly
Detection
Policy
You can apply the same policy instance, for example, sig0, rules0, and ad0, to different virtual
sensors. Follow these steps to add, edit, and delete virtual sensors:
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Analysis Engine > Virtual Sensors.
Step 4 Enter a name for the virtual sensor in the Virtual Sensor Name field.
Configuration
Anomaly
Detections:
ad0
You enable or disable the TCP protocol for the internal zone on the TCP Protocol tab. You can
configure a destination port for the TCP protocol, and you can use either the default thresholds
or override the scanner settings and add your own thresholds and histograms.
On the UDP Protocol tab, you enable or disable the UDP protocol for the internal zone. You
can configure a destination port for the UDP protocol, and you can use either the default
thresholds or override the scanner settings and add your own thresholds and histograms.
On the Other Protocols tab, you enable or disable other protocols for the internal zone. You can
configure a protocol number map for the other protocols, and you can use either the default
thresholds or override the scanner settings and add your own thresholds and histograms.
4-132 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configure Anomaly Detection Services
Configuration
Anomaly
Detections:
ad0
Destination
Port Map
The Add and Edit Destination Port dialog boxes contains the following fields:
Destination Port number: This lets you enter the destination port number. The valid range
is 0 to 65535.
Enable the Service: If checked, this enables the service.
Override Scanner Settings: If checked, this overrides the default scanner settings, and lets
you add, edit, delete, and choose all histograms.
Scanner Threshold: This lets you set the scanner threshold. The valid range is 5 to 1000.
The default is 100.
Threshold Histogram: This displays the histograms that were added.
— Number of Destination IP Addresses: Displays the number of destination IP
addresses that you added for High (100), Medium (20), and Low (5)
— Number of Source IP Addresses: Displays the number of source IP addresses that
you added for High, Medium, and Low
Note Under the destination port map there are no default scanner or histogram values. The
administrator must configure these values.
Configuration
Learning
Anomaly Accept
Detections: Mode
ad0
Schedule
Use the Learning Accept Mode tab to configure whether the sensor will automatically create a
new knowledge base every so many hours. You can configure whether the knowledge base will
be created and loaded (Rotate) or saved (Save Only). You can schedule how often and when the
knowledge base will be loaded or saved. The new updated knowledge base is saved as
KB_current-date.
Note You must be an administrator or operator to configure the Learning Accept Mode.
Follow these steps to configure the Learning Accept Mode for anomaly detection:
Step 1 Log into Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Policies > Anomaly Detections > ad0 and click
the Learning Accept Mode tab.
Step 3 To have anomaly detection automatically update the knowledge base, check the
Automatically Accept Learning Knowledge Base check box.
Step 4 From the Action drop-down list, choose one of the following action types:
Rotate: With this action option, a new knowledge base is created and loaded.
This option is the default.
Save Only: With this action option, a new knowledge base is created but not
loaded. You can view it to decide if you want to load it.
Step 5 From the Schedule drop-down list, choose one of the following schedule types:
Calendar Schedule: Go to Step 6.
Periodic Schedule: Go to Step 7.
4-134 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 6 To configure the calendar schedule, follow these substeps:
1. Click Add to add the start time. The Add Start Time dialog box appears.
2. Enter the start time in hours, minutes, and seconds using the 24-hour time
format.
Tip To undo your changes and close the Add Start Time dialog box, click Cancel.
3. Click OK.
4. In the Days of the Week field, check the check boxes of the days that you want
the anomaly detection module to capture knowledge base snapshots.
2. In the Learning Interval field, enter the interval of the subsequent knowledge
base snapshots.
Step 8 Click Apply to apply your changes and save the revised configuration.
Configuration
Anomaly
Detections:
ad0
Operation
Settings
From the Operation Settings tab, you can set the worm detection timeout. After this timeout,
the scanner threshold returns to the configured value. You can also configure source and
destination IP addresses that you want the sensor to ignore when anomaly detection is gathering
information for a knowledge base. Anomaly detection does not track these source and
destination IP addresses, and the knowledge base thresholds are not affected by these IP
addresses.
Note You must be an administrator or operator to configure anomaly detection operation settings.
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Policies > Anomaly Detections > ad0 and click
the Operation Settings tab.
4-136 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 3 In the Worm Timeout field, enter the number of seconds that you want to wait for
worm detection to time out. The range is 120 to 10,000,000 seconds. The default is
1000 seconds.
Step 4 To enable the list of ignored IP addresses, check the Enable Ignored IP Addresses
check box.
Note You must check the Enable Ignored IP Addresses check box or none of the IP addresses
you enter are ignored.
Step 5 In the Source IP Addresses field, enter the addresses or range of source IP addresses
that you want anomaly detection to ignore. The valid form is 10.10.5.5,10.10.2.1-
10.10.2.30.
Step 6 In the Destination IP Addresses field, enter the addresses or range of destination IP
addresses that you want anomaly detection to ignore.
Step 7 Click Apply to apply your changes and save the revised configuration.
Monitoring
Show
Thresholds
Compare
KBs
Anomaly
Detection
Load
Save Current
Download
Upload
The Anomaly Detection pane displays the knowledge bases for all virtual sensors. On the
Anomaly Detection pane, you can perform the following actions:
Show thresholds of specific knowledge bases
Compare knowledge bases
Load a knowledge base
Make the KB the current knowledge base
Rename a knowledge base
Download a knowledge base
Upload a knowledge base
Delete a knowledge base
Note The anomaly detection buttons are active only if one row in the list is selected, except for
Compare KBs, which can have two rows selected. If any other number of rows is selected,
none of the buttons are active.
The fields and buttons listed here are on the Anomaly Detection pane.
4-138 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Knowledge Base Name: This is the name of the knowledge base. By default, the
knowledge base is named by its date. The default name is the date and time (year-month-
day-hour_minutes_seconds). The initial knowledge base is the first knowledge base, the
one that has the default thresholds.
Current: “Yes” indicates the currently loaded knowledge base.
Size: This is the size in kilobytes of the knowledge base. The range is usually less than 1
KB to 500 to 700 KB.
Created: This is the date that the knowledge base was created.
The command show statistics anomaly-detection was added to the Cisco IPS Sensor Software
Version 6.0(1) and higher. Besides displaying anomaly statistics, it also reveals whether an
anomaly has been detected and the source of the worm infestation.
In the example, an attack has been perceived with all of the attackers originating from the
external zone.
4-140 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
POSFP Overview
This topic describes the principles behind POSFP.
POSFP Overview
POSFP lets the sensor determine the operating system that hosts are running. The sensor
analyzes network traffic between hosts and stores the operating system of these hosts with their
IP addresses. The sensor inspects TCP SYN and ACK packets exchanged on the network to
determine the operating system type.
The sensor then uses the target host operating system to compute the Attack Relevancy Rating
(ARR) component of the risk rating. You can then use the risk rating to reduce the number of
false positive alerts, a benefit in promiscuous mode, or definitively drop suspicious packets, a
benefit in inline mode.
When the Cisco IPS sensor operates in inline mode, the POSFP
relevance determination increases the confidence with which the
Cisco IPS sensor may drop suspicious traffic.
When the Cisco IPS sensor operates in promiscuous mode, the
POSFP relevance determination decreases the number of
false positive alerts generated by the Cisco IPS sensor.
POSFP enhances the alert output by reporting the victim
operating system, the source of the operating system
identification, and the relevance to the victim operating system
in the alert.
When the IPS sensor is inline, the operating system relevance factor allows the administrator to
be more aggressive in configuring signature actions.
For sensors in promiscuous mode, the POSFP relevance determination decreases the number of
false positive alerts generated by the sensor.
Whether the sensor is in inline or promiscuous mode, the alert output contains additional,
useful information about the victim and the relevance of the alert.
4-142 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Operating System Identification
This topic describes the different methods available to identify operating systems.
Method Description
There are three sources of operating system information. The sensor ranks the sources of
operating system information in the following order:
1. Configured operating system mappings
2. Imported operating system mappings (from the CiscoWorks Management Center for Cisco
Security Agent)
When the sensor must determine the operating system for a target IP address, it consults the
configured operating system mappings. If the target IP address is not in the configured
operating system mappings, the sensor looks in the imported operating system mappings. If the
target IP address is not in the imported operating system mappings, the sensor looks in the
learned operating system mappings. If it cannot find it there, the sensor treats the operating
system of the target IP address as unknown.
Note POSFP is enabled by default. The Cisco IPS sensor contains a default vulnerable operating
system list for each signature. If you do not configure any IP addresses for POSFP to
fingerprint, it fingerprints all IP addresses.
Configurable Settings
Note You must be an administrator or operator to add, edit, and delete configured operating
system maps.
4-144 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring User-Defined Operating
System Mappings
Configuration
Event Action
Rules:rules0
Add
Note The Restrict OS Mapping and ARR to These IP Addresses field is discussed later in this
topic.
Name of Operating
System Map
IP
Addresses OS
Type
The following fields and options are on the Add and Edit Configured OS Map dialog boxes.
Name: This lets you name the configured operating system map.
Active: This lets you choose to have the configured operating system map active or
inactive.
IP Address: This lets you enter the IP address associated with this configured operating
system map. The IP address for the configured operating system mappings, and only the
configured operating system mappings, can be a set of IP addresses and IP address ranges.
The following are all valid IP address formats for configured operating system mappings:
— 10.1.1.1,10.1.1.2,10.1.1.15
— 10.1.2.1
— 10.1.1.1-10.2.1.1,10.3.1.1
— 10.1.1.1-10.1.1.5
OS Type: This lets you choose one of the following operating system types to associate
with the IP address:
— AIX
— BSD
— General OS
— HP UX
— IOS
— IRIX
— Linux
— Mac OS
— Netware
4-146 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
— Other
— Solaris
— UNIX
— Unknown OS
— Win NT
— Windows
— Windows NT/2K/XP
Configuration
External
Product
Interfaces
Management
Center for Cisco
Security Agents
CiscoWorks Management Center for Cisco Security Agent receives host posture information
from the Cisco Security Agent software that it manages. It also maintains a watch list of IP
addresses that it has determined should be quarantined from the network.
CiscoWorks Management Center for Cisco Security Agent sends two types of events to the
sensor—host posture events and quarantined IP address events.
The sensor uses the information from these events to determine the risk rating increase based
on the information in the event and the risk rating configuration settings for host postures and
quarantined IP addresses.
4-148 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The host posture and watch list IP address information is not associated with a virtual
sensor, but is treated as global information.
To configure restrictions on the operating system mapping done by the sensor, it is necessary to
complete the following steps:
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Policies > Event Action Rules > rules0 and then
click the OS Identifications tab.
Step 3 Confirm that the Enable Passive OS Fingerprinting Analysis check box is
checked.
Step 4 In the Restrict OS Mapping and ARR to These IP Addresses field, add the addresses
used by the networks monitored by this virtual sensor.
4-150 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Relevance Alert Filters
OS Relevance
Follow these steps to edit the event action filter OS Relevance value:
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Policies > Event Action Rules > rules0 and then
click the Event Action Filter tab.
Step 4 In the OS Relevance drop-down list, choose whether you want to know if the alert is
relevant to the operating system that has been identified for the victim.
Vulnerable OS
List
Select Operating
Systems
Step 1 Log into the Cisco IDM using an account with administrator or operator privileges.
Step 2 Click Configuration and choose Signature Definitions > sig0 and click the
Signature Configuration tab.
Step 5 In the Select Item(s) dialog box, choose the vulnerable operating system (or
systems) and click OK.
Tip To choose more than one operating system, hold down the Ctrl key.
4-152 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Disable POSFP
Configuration
Event Action
Rules:rules0
Enable Passive OS
Fingerprinting
Analysis
Step 2 Choose Event Action Rules > rules0 and click the OS Identifications tab.
Step 3 Clear the Enable Passive OS Fingerprinting Analysis check box.
Monitoring
Learned OS
The Learned OS pane displays the learned operating system mappings that the sensor has
learned from observation of traffic on the network. The sensor inspects TCP session
negotiations to determine the operating system running on each host.
You can clear the list or delete one entry by choosing the row and clicking Delete.
Note If POSFP is still enabled, and hosts are still communicating on the network, the learned
operating system mappings are immediately repopulated.
Follow these steps to delete a learned operating system value or to clear the entire list:
Step 1 Log into the Cisco IDM using an account with administrator privileges.
Step 3 To delete one entry in the list, choose it in the Learned OS pane, and click Delete.
Step 4 To clear all learned operating system values, click Clear List from the Learned OS
pane.
Note You must be an administrator to clear and delete learned operating system mappings.
4-154 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitoring Imported Operating Systems
Monitoring
Imported OS
The Imported OS pane displays the operating system mappings that the sensor has imported
from CiscoWorks Management Center for Cisco Security Agent if you have it set up as an
external interface product on the Configuration > External Product Interfaces pane.
You can clear the list or delete one entry by choosing the row and clicking Delete.
Follow these steps to delete an imported operating system value or to clear the entire list:
Step 1 Log into Cisco IDM using an account with administrator privileges.
Step 3 To delete one entry in the list, choose the entry from the Imported OS pane, and
click Delete.
Step 4 To clear all imported operating system values, click Clear List from the Imported
OS pane.
Note You must be an administrator to clear and delete imported operating system mappings.
When the victim operating system is unknown and the vulnerable operating system setting of
the signature is General OS, the alert relevance is “relevant.”
4-156 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Configuring Blocking
Overview
This lesson explains how to configure the blocking capability on a Cisco Intrusion Prevention
System (IPS) sensor and how blocking is used. In addition, this lesson explains the issues that
you should consider before you select the interface on which to apply the blocking access
control lists (ACLs).
Objectives
Upon completing this lesson, you will be able explain blocking concepts and use the Cisco IPS
Device Manager (IDM) to configure blocking for a given scenario. This ability includes being
able to meet these objectives:
Explain the principles behind blocking
Describe the things that should be taken into account before applying ACLs
Explain how to configure a sensor to perform automatic blocking
Explain how to configure a sensor to perform manual blocking
Explain how to configure a master blocking scenario
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Blocking Overview
This topic explains blocking and provides guidelines for designing a Cisco IPS solution that
incorporates the blocking feature.
Definitions
Blocking: A Cisco IPS sensor feature that prevents packets from reaching
their destination; initiated by a sensor and performed by another Cisco
device at the request of the sensor
ARC: The blocking application on the sensor
Device management: The ability of a sensor to interact with a Cisco
device and dynamically reconfigure the Cisco device to stop an attack
Blocking device: The Cisco device that blocks the attack; also referred to
as a managed device
Blocking sensor: The Cisco IPS sensor configured to control the
managed device
Managed interface or VLAN: The interface or VLAN on the managed
device where the Cisco IPS sensor applies the ACL or VACL
Active ACL or VACL: The ACL or VACL created and applied to the
managed interfaces or VLANs by the sensor
The following terms are used when discussing the Cisco IPS blocking feature:
Blocking: This is a Cisco IPS feature that prevents packets from reaching their destination.
Blocking is initiated by a sensor and performed by another Cisco device at the request of
the sensor.
Attack Response Controller (ARC): This is the blocking application on the sensor. The
ARC starts and stops blocks. It monitors the time for the block and removes the block after
the time has expired. ARC, formerly known as Network Access Controller (NAC) in Cisco
IPS Sensor Software prior to Version 6.0, is also used in rate limiting.
Device management: This is the ability of a sensor to interact with a Cisco device and
dynamically reconfigure the Cisco device to block the source of an attack in real time.
Managed device: This is the Cisco device that actually blocks the attack. It is also referred
to as a blocking device.
Blocking sensor: This is a sensor that has been configured to control a managed device.
Managed interface or VLAN: This is the interface or VLAN on the managed device
where the sensor applies the dynamically created ACL or VLAN ACL (VACL). This
interface or VLAN is also referred to as a blocking interface or blocking VLAN.
Note The Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive
Security Appliances use the shun command to enforce a block. The Cisco PIX security
appliance and Cisco ASA adaptive security appliance ACLs are not modified.
Active ACL or VACL: This is the ACL or VACL dynamically created and maintained by
the sensor and applied to the managed interface or VLAN.
4-160 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Blocking Devices
Cisco routers
Cisco PIX 500 Series Security Appliances
Cisco Catalyst 6500 Series Firewall Services Modules
Cisco Catalyst 6500 Series Switches
Cisco ASA 5500 Series Adaptive Security Appliances
The ARC can control up to 250 supported devices in any combination. The following lists
blocking devices that have been tested and approved to work with the sensors and device
management:
Cisco routers running Cisco IOS Release 11.2 or later using ACLs
Cisco PIX 500 Series Security Appliances running Software Version 6.0 or later using the
shun command; you must use one of the following Cisco PIX security appliance models:
— Cisco PIX 501 Security Appliance
— Cisco PIX 506E Security Appliance
— Cisco PIX 515E Security Appliance
— Cisco PIX 525 Security Appliance
— Cisco PIX 535 Security Appliance
Cisco Catalyst 6500 Series Firewall Services Modules (FWSMs)
Cisco ASA 5500 Series Adaptive Security Appliances running Version 7.0 or later using
the shun command
Note If the Cisco Catalyst Series FWSM is configured in multimode, blocking is not supported for
the administrative context. Blocking is only supported in single mode and in multimode
customer context.
Cisco Catalyst 6500 Series Switches with Cisco IOS Release 12.1(13)E or later using
ACLs
Blocking is done with ACLs, VACLs, or the shun command. All of the Cisco PIX security
appliance models that support the shun command can be used as blocking devices.
4-162 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Blocking Device Requirements
The sensor must be able to communicate with the device via IP.
Remote network access must be enabled and permitted from the
sensor to the managed device using one of the following:
– Telnet
– SSH (default)
If using SSH, the blocking device must have an encryption license
for DES or 3DES.
The sensor must be able to communicate with the blocking device. The sensor must have a
route to, or must be on the same subnet as, the managed firewall.
The blocking device must also have one of the following configured:
Telnet: Telnet access should be allowed from the sensor.
Secure Shell (SSH): SSH access should be allowed from the sensor.
SSH is the default communication mechanism between the sensor and the blocking device. If
SSH is used, the blocking device must have a software license that supports Data Encryption
Standard (DES) or Triple Data Encryption Standard (3DES) encryption.
As soon as the blocking device is configured on the sensor, the sensor attempts to log into the
blocking device using the specified credentials and access protocol, Telnet or SSH. If the
sensor logs in successfully, a user connection is maintained between the sensor and the
blocking device. This persistent connection allows the sensor to immediately and dynamically
configure blocking rules on the blocking device as required.
This table displays a partial sample configuration for a Cisco router that supports SSH
authentication from the sensor using the local database for password authentication.
Subhead Subhead
hostname router1 This establishes the router identity.
username sensor This creates sensor username account for SSH login.
password 0 secret
aaa new-model —
aaa authentication This defines the login profile named “ssh” to use the local user
login ssh local enable database for authentication; the enable password is used as a
backup.
ip domain-name This establishes the domain identity of the router.
company.com
ip ssh time-out 90 (Optional) This sets the SSH timeout to 90 seconds. The default
is 60 seconds.
ip ssh authentication- (Optional ) This sets the number of allowed retries to 2. The
retries 2 default is 3.
line vty 0 4 This enters line vty configuration mode.
login authentication This configures the vty lines to authenticate using the login profile
ssh named “ssh.”
transport input ssh This enables the SSH transport on the vty line.
The Cisco IOS command crypto key generate rsa does not appear in the static configuration,
but is used to enable the SSH server and generates the server public and private keys for SSH
authentication.
The Cisco IOS commands show users and show ssh can be used to verify that the sensor has
logged into the Cisco router and established an SSH connection; the encryption level is also
displayed.
The “Sample Cisco PIX Security Appliance Configuration” table displays a partial sample
configuration for a Cisco PIX security appliance that supports SSH authentication from the
sensor using local password authentication, not authentication, authorization, and accounting
(AAA).
Command Description
hostname pix1 Establishes the identity of the Cisco PIX security appliance for
key generation
ssh 172.16.1.1 Allows SSH traffic only from host 172.16.1.1 on the inside
255.255.255.255 inside network
4-164 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Once the hostname and domain name of the Cisco PIX security appliance are set, the Cisco PIX
security appliance ca generate rsa key command is used to generate the server public and
private keys for SSH authentication; the ca save all command is then used to save the Rivest,
Shamir, and Adleman (RSA) key pair to flash memory.
The Cisco PIX security appliance show ssh sessions command can be used to verify that the
sensor has logged into the Cisco PIX security appliance and established an SSH connection.
The encryption level is also displayed.
Note If local authentication, not AAA, is used for SSH on the Cisco PIX security appliance, the
SSH username is always “pix.” There is no per-user name entry.
Sensor Setup
SSH
Add
Known Host
Key
If you select SSH-DES or 3DES as the secure communication method, SSH password
authentication is used, not public key authentication. To configure the sensor to communicate
with a blocking device using SSH, you must configure the SSH public key of the blocking
device on the sensor. The sensor can automatically retrieve the SSH parameters from the router,
if properly configured for an SSH server.
Follow these steps to add the blocking device to the sensor known hosts list:
Step 1 Click Configuration and choose Sensor Setup > SSH > Known Host Keys. The
Known Host Keys panel is displayed.
Step 2 Click Add. The Add Known Host Key window opens.
4-166 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Blocking Guidelines
Cisco IPS blocking is a powerful feature that you should use only after thorough planning. The
automatic blocking feature generates blocking rules, ACLs, VACLs, and shun commands,
based solely on the IP addresses of the hosts that generate the alarms. The sensor cannot
determine whether the attacking host should be considered a friend or a foe. Consequently, the
blocking feature could block legitimate network traffic. There are several key points to
remember when designing and implementing blocking:
Antispoofing mechanisms: Attackers will forge packets with IP addresses that are either
private addresses (RFC 1918) or addresses on your internal network. The goal of the
attacker could be to elude detection, to gain privileged access using a trusted address, or to
cause a denial of service (DoS) if sensor blocking is configured. If you implement a proper
antispoofing mechanism and network ingress and egress filtering (RFC 2827), the sensor
does not block possibly valid addresses.
Critical hosts: Each network has critical hosts that should not be blocked. It is important to
identify these hosts to prevent possible network disruptions.
Network topology: Determine which devices should be blocked by which sensor. Two
sensors cannot control blocking on the same device.
Entry points: Networks of today have several entry points to provide for reliability,
redundancy, and resilience. These entry points are avenues for someone to attack your
network. It is important to identify all of the entry points and decide whether the connecting
devices should participate in blocking.
Signature selection: Cisco IPS sensors contains several hundred signatures that can be
configured for blocking. It is not feasible to perform blocking on all of the signatures.
Identify which signatures are best suited for blocking. For example, if you were allowing
only web traffic to your server farm, you would identify web-related signatures specific to
your web server software. From this list of signatures, you would then identify those
signatures whose severity is ranked high and could potentially lead to access. These
signatures would be candidates for blocking.
4-168 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ARC Block Actions
The ARC is the sensor service that initiates the network access control, or blocking, function.
The ARC controls the starting and stopping of blocks on routers, switches, Cisco PIX security
appliances, and Cisco ASA adaptive security appliances.
The following events cause the ARC to initiate a block:
Automatic blocking: A signature configured with a block action generates an alert. You
can configure either of two block actions for a signature.
— Request block host: Blocks all of the traffic from a given IP address
— Request block connection: Blocks traffic from a given source IP address to a given
destination IP address and destination port
Note Multiple connection blocks from the same source IP address to a different destination IP
address or destination port automatically switch the block from a connection block to a host
block.
Manual blocking: You manually configure the ARC to block a specific host or network
address.
Blocking Scenario
192.168.1.10 172.26.26.1
1
Sensor
2 Attacker attacks
detects
192.168.1.10.
attack.
The following steps describe the process for the scenario in the figure, in which a signature is
configured with a blocking action:
Step 1 An attack starts when an attacker executes a hack to gain access to the protected
network. In the figure, the attacker IP address is 172.26.26.1. The attacker has
launched attacks against the server at 192.168.1.10.
Step 2 The sensor detects the attack. The signature triggered was configured so that an
automatic block is enforced.
Step 3 The sensor writes a new ACL on the managed router denying traffic from the
attacking host.
Step 4 The managed router then denies any traffic generated by the attacking host until the
block is manually removed or the default automatic block time expires. The ACL
entry written to the router would be similar to the following example:
Extended IP access list IDS_Ethernet0/1_in_1
20 deny ip host 172.26.26.1 any
30 permit ip any any
4-170 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The ACL name indicates the source, IPS, the interface and direction (e0/1_in), and a unique
identifier, 1. The ACL is applied to the appropriate interface in the specified direction. Here is
an example:
interface Ethernet0/1
ip access-group IDS_e0/1_in_1 in
Protected
Network
Selecting the blocking interfaces on the blocking device and specifying the direction of traffic
that you want blocked are important configuration tasks. The sensor must have full control of
an assigned interface ACL. The sensor writes ACLs and applies them to the blocking device
until the device is no longer defined as a blocking device. Manually configured ACLs are not
allowed on this interface but can be applied to other interfaces or incorporated into the
dynamically created ACL.
You must decide on which interface and in which direction to apply the ACL. You can apply
the ACL on either the external or the internal interface of the router. You can also configure it
for either inbound or outbound traffic on these interfaces.
If you select an external interface as the managed interface, the recommended ACL direction is
inbound. If you select an internal interface as the managed interface, the recommended ACL
direction is outbound. Either of these strategies will block attacks in the direction of the
protected network.
Note Sensor blocking ACLs are incompatible with Context-Based Access Control (CBAC), a
component of the Cisco IOS Firewall Feature Set.
4-172 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Applying ACLs on External vs. Internal
Interfaces
Applying the ACL to the external interface in the inbound direction denies a host access before
the router processes packets. Applying the ACL to the internal interface in the outbound
direction denies a host access to the protected network but allows packets to be processed by
the router. The latter scenario is less desirable, but it may be required if an existing ACL is
already applied to an external interface.
Based on your unique network architecture and security policy, you must decide which
configuration will meet your needs for security and functionality.
Each interface and direction combination of a blocking device can have only one active ACL.
Therefore, if an interface needs other ACL entries besides the blocking ACL entries generated
by the sensor, you should configure these additional entries in the form of Pre-Block and Post-
Block ACLs. You must configure the Pre-Block and Post-Block ACLs on the blocking device
independently of the sensor. These ACLs allow an administrator to include access rules that
must be processed before and after the blocking rules are added by the sensor.
Pre-Block ACLs: These override the deny lines resulting from blocks. Pre-Block ACLs
are used for permitting what you do not want the sensor to block. When a packet is checked
against an ACL, the first line that is matched determines the action. If the first line matched
is a permit line from the Pre-Block ACL, the packet is permitted, even though there could
be a deny line from an automatic block listed later in the ACL.
Post-Block ACLs: These are used for additional blocking or permitting of what you want
to occur on an interface or direction. If you have an existing ACL on an interface that the
sensor manages, that existing ACL can be used as a Post-Block ACL. The sensor creates an
ACL with the following entries and applies it to the specified interface with the specified
direction, in or out:
— A permit line for the sensor IP address, unless you have allowed blocking of the
sensor IP address
— Copies of all of the configuration lines of the Pre-Block ACL
— A deny line for each address being blocked by the sensor
— Copies of all of the configuration lines of the Post-Block ACL
If you do not have a Post-Block ACL, the sensor inserts “permit ip any any” at the end of the
new ACL. When you apply the new ACL to an interface or direction of the router, it removes
the application of any other ACL to that interface or direction.
You must create any Pre-Block and Post-Block ACLs that you plan to use on your blocking
device before you specify them in the Cisco IDM. Pre-Block and Post-Block ACLs must be
4-174 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
extended IP ACLs, either named or numbered. See the documentation for your blocking device
for more information on creating ACLs.
Note When blocking is not in effect, the ACL applied to the interface is simply a combination of
the Pre-Block and Post-Block ACLs without any blocking entries inserted.
The following are examples of blocking ACLs. They depict portions of a blocking
configuration for a Cisco IOS router that implements Pre-Block and Post-Block ACLs on
interface serial0/0 for the inbound direction. The predefined Pre-Block ACL is named
Pre-ACL, and the predefined Post-Block ACL is named Post-ACL.
ip access-list extended pre-ACL
deny ip any host 172.16.16.200
deny tcp any host 192.168.2.2 eq ftp
!
ip access-list extended post-ACL
permit tcp any any
The “ACL Configuration Before Blocking” table displays the ACL configuration as it appears
on a Cisco router after the sensor takes control of the interface but before blocking is initiated,
or after the blocking duration has expired.
Configuration Description
interface Serial0/0 —
ip access-group IDS_Serial0/0_in_1 in ACL applied to interface in the “in”
direction
ip access-list extended IDS_Serial0/0_in_1 —
permit ip host 172.16.16.110 any IP address to never block entry
deny ip any host 172.16.16.200 Pre-Block ACL entry
deny tcp any host 198.168.2.2 eq ftp Pre-Block ACL entry
permit tcp any any Post-Block ACL entry
The “ACL Configuration During Blocking” table displays the ACL configuration while an
active block is in progress on a Cisco IOS router. In the example, a signature was set to trigger
a connection block for attacks to the web server:
Configuration Description
interface Serial0/0 —
ip access-group IDS_Serial0/0_in_1 in ACL applied to interface in the “in”
direction
ip access-list extended IDS_Serial0/0_in_1 —
permit ip host 172.16.16.110 any IP address to never block entry
deny ip any host 172.16.16.200 Pre-Block ACL entry
deny tcp any host 192.168.2.2 eq ftp Pre-Block ACL entry
deny tcp host 10.1.1.200 host Blocking ACL entry with logging
172.16.16.100 eq www log enabled
permit tcp any any Post-Block ACL entry
4-176 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuration Tasks
Configuration
Enable Blocking
Allow
Sensor IP
Address to
be Blocked
Blocking
Maximum
Blocking Block Entries Add
Properties
After you configure the signature action, you can use the options in the Cisco IDM Blocking
menu to configure blocking. Follow these steps to configure the sensor blocking properties:
Step 1 Click Configuration and choose Blocking > Blocking Properties. The Blocking
Properties panel is displayed.
Step 2 Check the Enable Blocking check box if it is not already selected. By default,
blocking is enabled. You might want to disable blocking, for example, if the ARC is
managing a device on which you must manually configure something. This prevents
a situation in which both you and the ARC are making a change at the same time on
the same device. This could cause the device or the ARC to fail.
Step 3 If you want to allow the sensor IP address to be blocked, check the Allow Sensor IP
Address to be Blocked check box. It is recommended that you do not allow the
sensor to block itself because it could stop communicating with the managed device.
You can choose this option if you can ensure that, if the sensor creates a rule to
block its own IP address, it will not be prevented from accessing the blocking
device.
Step 4 Enter the number of blocks that are to be maintained simultaneously in the
Maximum Block Entries field. Valid values are 1 to 65535. The default is 250.
Setting the maximum block entries higher than 250 is not recommended. The
number of blocks will not exceed the maximum block entries. If the maximum is
reached, new blocks will not occur until existing blocks time out and are removed.
Step 5 Click Add to add a host or network to the list of addresses never to be blocked. The
Add Never Block Address window opens.
4-178 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Adding Never Block Addresses
IP Address
Mask
Step 6 Enter the IP address of the host or network in the IP Address field. This is the IP
address to never block.
Step 7 Choose the network mask that corresponds to the IP address from the Mask drop-
down menu.
Step 8 Click OK. The new host or network appears in the Never Block Addresses list on
the Blocking Properties panel.
Step 9 Click Apply to apply your changes and save the revised configuration.
Configuration
Signature
Definition:sig0
Signature
Configuration
Actions
The first step to configure automatic blocking is to select a signature and set its alert response
to block the offending host or connection. If you choose to block a host, all of the packets with
the source address of the suspected intruder are blocked. If you choose to block a connection,
only those packets that are moving from the offending source to its target and are associated
with the offending protocol are blocked.
Follow these steps to configure a signature action to perform blocking when the signature is
triggered:
Step 1 Click Configuration and choose Signature Definition > Signature Configuration.
Step 2 From the sig0 panel, click Actions. The Assign Actions window opens.
4-180 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Device Login Profiles
Configuration
Add
Blocking
Device Login
Profiles
The next step for configuring blocking is to specify the username and password that the sensor
uses when logging into blocking devices. Although you can create multiple profiles, one device
login profile can be used for multiple devices. For example, routers that all share the same
passwords and usernames can use the same device login profile. You must configure a device
login profile before configuring the blocking devices.
Step 2 Click Add to add a profile. The Add Device Login Profile window opens.
Username
New
Password
Confirm
New
Password
New
Password
Confirm
New
Password
Step 3 Enter a name for your profile in the Profile Name field.
Step 4 Enter the username used to log into the blocking device in the Username field. This
step is optional.
Step 5 Enter the password used to log into the blocking device in the New Password field.
This step is optional.
Step 6 If you entered a password, enter the password again in the Confirm New Password
field.
Step 7 Enter the enable password used on the blocking device in the New Password field.
This step is optional.
Step 8 If you entered an enable password, enter it again in the Confirm New Password
field.
Step 9 Click OK. You receive an error message if the profile name already exists. The new
device login profile appears in the list on the Device Login Profile panel.
Step 10 Click Apply to apply your changes and save the revised configuration.
4-182 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Blocking Devices
Configuration
Blocking Add
Blocking
Devices
After configuring device login profiles, you are ready to configure your blocking devices.
Follow these steps to configure blocking devices:
Step 1 Click Configuration and choose Blocking > Blocking Devices. The Blocking
Devices panel is displayed.
Step 2 Click Add to add a blocking device. You receive an error message if you have not
configured the device login profile. The Add Blocking Device window opens.
IP Address
Sensor’s NAT
Address
Device Login
Profile
Device Type
Response
Capabilities
Communication
Step 3 Enter the IP address of the blocking device in the IP Address field.
Step 4 Enter the sensor Network Address Translation (NAT) address in the Sensor’s NAT
Address field. This is an optional field.
Step 5 Choose the device login profile from the Device Login Profile drop-down list. This
login profile is used to log into the blocking device.
Step 6 Choose the device type from the Device Type drop-down list.
Step 7 Choose the communication mechanism used to log into the blocking device from the
Communication drop-down menu.
Step 9 Click Apply to apply your changes and save the revised configuration.
You can configure a Cisco PIX security appliance running Cisco PIX Firewall Software
Version 7.0 or later or a Cisco ASA adaptive security appliance to function as multiple virtual
devices, with each virtual device having its own IP addresses, configuration, and session
tracking. This configuration is referred to as multiple virtual firewalls or multimode. Each
virtual firewall instance is referred to as a context. There are three types of contexts.
System: Where system-level commands are executed and where the other contexts are
created
Admin: The primary user context
Additional user contexts: Contains additional instances or virtual firewalls
Each admin and user context has an IP address and can be managed as its own device, with the
exception of executing system-level commands. Blocking can be done in the user contexts. The
ARC treats each user context as a separate device. You must configure the ARC to separately
connect to each user context IP address on which you want blocking to occur.
4-184 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Router Blocking Device
Interfaces
Configuration
Add
Blocking
Router
Blocking
Device
Interfaces
Follow these steps to configure the blocking device interfaces if your blocking device is a
router.
Step 1 Click Configuration and choose Blocking > Router Blocking Device Interfaces.
Step 2 Click Add. The Add Router Blocking Device Interface window opens.
Blocking
Interface
Direction
Pre-Block
ACL
Post-Block
ACL
Step 3 Choose the IP address of the router blocking device from the Router Blocking
Device drop-down menu.
Step 4 Enter the blocking interface name in the Blocking Interface field. This is the
interface to be used on the router blocking device. A valid value is 2 to 32
characters.
Step 5 Choose the direction in which to apply the blocking ACL from the Direction drop-
down menu. You can choose In or Out.
Step 6 Enter the name of the Pre-Block ACL in the Pre-Block ACL field. This is an ACL to
apply before the blocking ACL. A valid value is zero to 64 characters. This is an
optional field.
Step 7 Enter the name of the Post-Block ACL in the Post-Block ACL field. This is an ACL
to apply after the blocking ACL. A valid value is zero to 64 characters. This is an
optional field.
Note The Post-Block ACL cannot be the same as the Pre-Block ACL.
Step 8 Click OK. You receive an error message if the IP address, interface, and direction
combination already exists. The new interface appears in the list on the Router
Blocking Device Interfaces panel.
Step 9 Click Apply to apply your changes and save the revised configuration.
4-186 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Switch Blocking Device
Interfaces
Configuration
Blocking
Add
Cat 6K Blocking
Device Interfaces
You configure blocking on a Cisco Catalyst 6000 Series Switch running the Cisco Catalyst
operating system using VACLs. A blocking device interface is required to complete the
configuration of the blocking feature on the Cisco Catalyst Series 6000 Switch using VACLs.
Because Cisco Catalyst 6000 Series Switch VACLs do not support direction-based ACLs, the
blocking direction is not available for Cisco Catalyst 6000 Series Switch VACL devices.
Follow these steps to configure blocking device interfaces if your blocking device is a Cisco
Catalyst 6000 Series Switch:
Step 1 Click Configuration and choose Blocking > Cat 6K Blocking Device Interfaces.
Step 2 Click Add. The Add Cat 6K Blocking Device Interface window opens.
Cat 6K
Blocking
Device
VLAN ID
Pre-Block
VACL
Post-Block
VACL
Step 3 Choose the IP address of the Cisco Catalyst 6500 Series Switch from the Cat 6K
Blocking Device drop-down menu.
Step 4 Enter the VLAN ID (VID) of traffic you want blocked in the VLAN ID field.
Step 5 Enter the name of the Pre-Block VACL in the Pre-Block VACL field. This is an
optional field.
Step 6 Enter the name of the Post-Block VACL in the Post-Block VACL field. This is an
optional field.
Step 7 Click OK. You receive an error message if the IP address and VLAN combination
already exists. The new interface appears in the list on the Cat 6K Blocking Device
Interfaces panel.
Step 8 Click Apply to apply your changes and save the revised configuration.
Note You must create and save Pre-Block and Post-Block VACLs in your switch configuration.
These VACLs must be extended IP VACLs, either named or numbered. See your switch
documentation for more information on creating VACLs.
4-188 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA Adaptive Security Appliance
Blocking Device Considerations
You do not need to configure the Cisco ASA 5500 Series Adaptive Security Appliance
interfaces and ACLs when the ASA 5500 Series is defined as a blocking device. Blocking is
enforced using the ASA 5500 Series shun command. The shun command is limited to blocking
hosts; it does not support the blocking of specific host connections or the manual blocking of
entire networks or subnetworks.
Note This behavior applies to the Cisco PIX 500 Series Security Appliances and the Cisco ASA
5500 Series Adaptive Security Appliances.
Active Host
Blocks Add
In addition to the automatic blocking initiated by the firing of a signature, the sensor can
perform blocking of a specific host or network. A host block can deny traffic from a specific
host until you remove the block or until a specified amount of time elapses. You can base the
block on a connection by indicating the destination IP address and the destination protocol and
port.
A host block is defined by its source IP address. If you add a block with the same source IP
address as an existing block, the new block overlays the old block. If you specify an amount of
time for the block, the value must be in the range of 1 to 70560 minutes, which is 49 days. If
you do not specify a time, the host block remains in effect until the sensor is rebooted or the
block is deleted.
Step 2 Click Add to add an active host block. The Add Active Host Block window opens.
4-190 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Active Host Blocks (Cont.)
Source IP
Enable
Connection Destination
Blocking Port
Protocol
Destination IP
VLAN
Enable
Timeout
Timeout No Timeout
Step 3 Enter the source IP address of the host that you want blocked.
Step 4 Check the Enable Connection Blocking check box if you want the block to be
connection-based. A connection block will block traffic from a given source IP
address to a given destination IP address and destination port. If you choose Enable
Connection Blocking, complete the following substeps within the Connection
Blocking area:
1. Enter the destination IP address for the block in the Destination IP field.
2. Enter the destination port for the block in the Destination Port field. This field is
optional.
3. Choose the protocol for the block from the Protocol drop-down menu. This field
is optional. The default is ANY. You can choose one of the following:
TCP
UDP
ANY
Step 6 Choose the Enable Timeout or No Timeout radio button. Enable Timeout allows
you to configure the block for a specified number of minutes. If you choose Enable
Timeout, enter the number of minutes for the block to last in the Timeout field. A
valid value is between 1 and 70560 minutes (49 days).
Step 7 Click Apply. You receive an error message if a block is configured for that IP
address. The new active host block is displayed in the list on the Active Host Blocks
panel.
4-192 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Network Blocks
Monitoring
Network Add
Blocks
You can also configure the sensor to block specific networks. A network block denies traffic
from a specific network until the block is removed or a specified amount of time elapses. A
network block is defined by its source IP address and netmask. If you specify an amount of
time for the block, the value must be in the range of 1 to 70560 minutes, which is 49 days. If
you do not specify a time, the block remains in effect until the sensor is rebooted or the block is
deleted.
Step 1 Click Monitoring and choose Network Blocks. The Network Blocks panel is
displayed.
Step 2 Click Add to add a network block. The Add Network Block window opens.
Source IP
Netmask
Enable
Timeout
Timeout
No
Timeout
Step 3 Enter the source IP address of the network that you want blocked in the Source IP
field.
Step 4 Choose the netmask that corresponds to the source IP address from the Netmask
drop-down menu.
Step 5 Choose the Enable Timeout or the No Timeout radio button. Enable Timeout
allows you to configure the block for a specified number of minutes. If you choose
Enable Timeout, enter the number of minutes that you want the block to last in the
Timeout field. A valid value is between 1 to 70560 minutes (49 days).
Step 6 Click Apply. You receive an error message if a block has already been added. The
new network block appears in the list on the Network Blocks panel.
Note You can see the time remaining for the blocks in the Minutes Remaining column of the
Network Blocks panel.
4-194 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure a Master Blocking Scenario
This topic explains how to configure a master blocking sensor (MBS).
Provider Provider
X Y
Attacker Sensor B
Sensor A Blocks
Router A
Blocks
In some configurations, it is necessary to have a proxy sensor perform the blocking action for
another sensor on your network. These proxy sensors are referred to as MBSs. The sensors that
send block requests to master blocking sensors are referred to as blocking forwarding sensors.
The figure illustrates how to use MBSs. The network has two entry points from two different
providers: Provider X and provider Y. The entry point for provider X has a sensor configured
for device management with router A. The entry point for provider Y has a sensor configured
for device management with the Cisco PIX security appliance B. When an attempt to penetrate
a host in the protected network is detected by sensor A, it blocks the attack at router A. If
sensor A has not been configured to use an MBS, the provider Y access would still be possible,
and the attacker could penetrate the protected network through that route.
Characteristics of an MBS:
An MBS can be any sensor that controls blocking on a device on
behalf of another sensor.
A blocking forwarding sensor is a sensor that sends block
requests to an MBS.
Any Cisco IPS running Cisco IPS Sensor Software Version 6.0
can act as an MBS for any other Cisco IPS running Cisco IPS
Sensor Software Version 6.0.
A sensor can forward block requests to a maximum of 10 MBSs.
An MBS can handle block requests from multiple blocking
forwarding sensors.
An MBS can use other MBSs to control other devices.
An MBS is a sensor that controls blocking on one or more devices on behalf of one or more
other sensors, which are known as blocking forwarding sensors. In other words, the ARC on an
MBS controls blocking on devices at the request of the ARCs running on blocking forwarding
sensors.
Any Cisco IPS sensor running Cisco IPS Sensor Software Version 6.0 can act as an MBS for
another Cisco IPS sensor running Cisco IPS Sensor Software Version 6.0. With Cisco IDS
sensors running Cisco Intrusion Detection System (IDS) Software Version 3.1 or earlier, Post
Office Protocol (POP) is used to communicate blocking instructions. With Cisco IDS Sensor
Software Version 4.0 and Cisco IPS Sensor Software Version 5.0, the blocking forwarding
sensor uses Remote Data Exchange Protocol (RDEP) to communicate blocking instructions to
an MBS. Cisco IPS Sensor Software Version 6.0 uses Remote Data Exchange Protocol version
2 (RDEP2). The blocking forwarding sensor ARC can send two block messages to an MBS:
Initiate a block: Used for manual blocks or automatic blocks initiated in response to an
event.
Stop blocking: Used for manual blocks
Block timeout messages are not communicated because each sensor handles its own blocking
timeouts. Permanent blocks are also not communicated because these can be configured only
for devices that a sensor directly manages.
A blocking forwarding sensor can forward block requests to a maximum of 10 MBSs, and each
MBS can handle block requests from more than one blocking forwarding sensor. However,
multiple sensors cannot manage a single blocking device.
An MBS can also use other MBSs to control other devices. However, this type of blocking
configuration can become quite complex, and, because MBSs can chain block messages,
circular block messaging can occur.
4-196 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note When an MBS chains block messages, the block messages are applied one right after the
other. Circular block messaging occurs when chained block messages continue for an
extended period of time.
To have a sensor initiate blocking on behalf of another sensor, you must configure both sensors.
On the blocking forwarding sensor, complete the following steps:
Identify the remote host that serves as the MBS.
Add the MBS to the blocking forwarding sensor Transport Layer Security (TLS) trusted
host table if TLS is enabled for encrypted communications.
On the MBS, add the blocking forwarding sensor IP address to the allowed host configuration.
4-198 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Blocking Forwarding
Sensor
Configuration
Add
Blocking
Master
Blocking
Sensor
Step 1 Click Configuration and choose Blocking > Master Blocking Sensor. The Master
Blocking Sensor panel is displayed.
Step 2 Click Add to add an MBS. The Add Master Blocking Sensor window opens.
IP Address
Port
Username
New
Password
Confirm
New
Password
Step 4 Enter the port number in the Port field. The blocking forwarding sensor connects to
the MBS on this port. The default is 443. This field is optional.
Step 5 Enter the username used to log into the MBS in the Username field. A valid value is
1 to 16 characters.
Step 6 Enter the password for the user in the Password field.
Step 8 Check or uncheck the Use TLS check box. If you check the Use TLS check box,
complete the following substeps to configure the ARC of the blocking forwarding
sensor to accept the TLS or SSL X.509 certificate of the MBS remote host.
1. Log into the blocking forwarding sensor CLI using an account with
administrator privileges.
4-200 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5. Exit global configuration mode and the command-line interface (CLI):
sensor(config)# exit
sensor# exit
You are prompted to accept the certificate based on the certificate fingerprint.
Sensors provide only self-signed certificates instead of certificates signed by a
recognized certificate authority. You can verify the certificate of the MBS host
sensor by logging into the host sensor and entering the show tls fingerprint
command to see that the fingerprints of the host certificate match.
Step 9 Click OK. You receive an error message if the IP address has already been added.
The new MBS appears in the list on the Master Blocking Sensor panel.
Note You can also configure the blocking forwarding sensor to accept the X.509 certificate by
using the Add Trusted Host window, which is displayed when you choose Configuration >
Certificates > Trusted Hosts.
Step 10 Click Apply to apply your changes and save the revised configuration.
Note You can check the status of the ARC by using the CLI show statistics network-access
command. The output shows the devices that you are managing, any active blocks, and the
status for all of the devices. You can also check the status in the Cisco IDM by choosing
Monitoring > Statistics.
IP
Address
Network
Mask
To complete your master blocking configuration, go to the MBS and use the Add Allowed Host
window to add the IP address of the blocking forwarding sensor to the allowed hosts list. To
access the Add Allowed Host window, click Configuration and choose Sensor Setup >
Allowed Hosts, and then click Add. Enter the IP address of the blocking forwarding sensor in
the IP Address field and select its corresponding network mask from the Network Mask drop-
down menu.
4-202 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Module Summary
4-204 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module Summary (Cont.)
Anomaly detection and POSFP are features that allow the Cisco
IPS Sensor products to provide significant worm protection and
alarm relevance.
– Anomaly detection allows the sensor to learn what is normal
behavior to your network, and take dynamic actions in
response to behavior that deviates from what is considered
normal.
– POSFP helps the Cisco IPS Sensor determine the operating
system for a host. This information is then used to help
calculate a more appropriate risk rating.
Blocking can be initiated either automatically or manually. You
can configure a manual block to block by host or by network.
While the Cisco Intrusion Prevention System (IPS) sensor products work well out of the box,
there are several ways that you can tune the sensors to work more optimally for their network.
Configuring event variables, target value ratings (TVRs), event action overrides, and event
action filters are all ways you can improve the likelihood of events being correct, and lower the
chance of events reflecting anything other than a true event.
There are also many tools that you can use to more efficiently monitor and enhance the
performance of the Cisco IPS sensor products. These include, but are not limited to, the Cisco
IPS Event Viewer (IEV), the Cisco Security Management Suite, Cisco Security Monitoring,
Analysis, and Response System (MARS), and Cisco Incident Control System (ICS). Cisco IEV
is a no-cost option that allows you to customize the events to monitor for up to five Cisco IPS
sensor products.
Virtual sensor is an added feature to the Cisco IPS Sensor Software Version 6.0, which allows
you to apply different configurations to different traffic. Virtual sensors also make it possible
for you to monitor traffic from networks that have overlapping address spaces, while using one
physical sensor. Anomaly detection and passive operating system fingerprinting (POSFP) are
additional tools available to help better and more efficiently protect your network from attacks.
Blocking is a Cisco IPS feature that prevents packets from reaching their destination. Blocking
is initiated by a sensor and performed by another Cisco device at the request of the sensor. You
can configure blocking to occur automatically or you can manually configure specific hosts or
networks to block.
4-206 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 5
Overview
This module introduces additional devices in the Cisco Intrusion Prevention System (IPS)
family of products besides the Cisco IPS 4200 Series Sensors. This module will provide an
overview of the differences of these products and how to perform an initial configuration.
Module Objectives
Upon completing this module, you will be able to initialize and install into your environment
the rest of the Cisco IPS family of products. This ability includes being able to meet these
objectives:
Explain the basics of how to install the Cisco Catalyst 6500 Series IDSM-2 into a Cisco
Catalyst 6500 Series Switch and initialize the module
Initialize a Cisco ASA AIP-SSM
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Overview
This lesson covers information on the Cisco Catalyst 6500 Series Intrusion Detection System
Services Module 2 (IDSM-2) and how to prepare it to provide intrusion prevention.
Objectives
Upon completing this lesson, you will be able to explain the basics of how to install the Cisco
Catalyst 6500 Series IDSM-2 in a Cisco Catalyst 6500 Series Switch and initialize it. This
ability includes being able to meet these objectives:
Describe the Cisco Catalyst 6500 Series IDSM-2
Install the Cisco Catalyst 6500 Series IDSM-2
Configure the Cisco Catalyst 6500 Series IDSM-2 interfaces
Monitor the Cisco Catalyst 6500 Series IDSM-2
Perform Cisco Catalyst 6500 Series IDSM-2 maintenance
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Catalyst 6500 Series IDSM-2 Overview
This topic introduces the Cisco Catalyst 6500 Series IDSM-2.
IDSM-2
Size 1 RU
The technical specifications for the Cisco Catalyst 6500 Series IDSM-2 are as follows:
Performance: 500 Mbps with 450-byte (B) packets
Size: 1 rack unit (RU)
Processor: Dual 1.13 GHz
Operating system: GNU Linux kernel version 2.4.26
Note Performance up to 600 Mbps is possible when the Cisco Catalyst 6500 Series IDSM-2 is
running in promiscuous mode (intrusion detection system [IDS]). Performance for a Cisco
Catalyst 6500 Series IDSM-2 running Cisco Intrusion Prevention System (IPS) Sensor
Software Version 6.0 is rated at 500 Mbps with 450-B packets at 5000 new TCP
connections per second with 50,000 concurrent connections.
5-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Differences between Cisco Catalyst 6500 Series
IDSM-2 and Cisco IPS 4200 Series Sensors
Although the Cisco Catalyst 6500 Series IDSM-2 runs the same image as the Cisco IPS 4200
Series Sensors, there are some differences that can largely be traced to the fact that the Cisco
Catalyst 6500 Series IDSM-2 is a module in a switch. These are the major differences for the
Cisco Catalyst 6500 Series IDSM-2:
It does not support sensor virtualization using inline VLAN groups.
It does not support subdividing inline interfaces or VLAN groups.
It automatically synchronizes its clock with the switch.
It does not have a clock set command.
It has only two sensing interfaces.
It must be configured with a native VLAN.
It does not have console access.
Several of the Cisco Catalyst 6500 Series IDSM-2 related commands are executed on the
Cisco Catalyst 6500 Series Switch.
It has a maintenance partition.
The following are key features of the Cisco Catalyst 6500 Series IDSM-2:
It brings switching and security into a single chassis.
It supports inline and promiscuous-mode operations.
It is supported by all Cisco Catalyst 6500 Series Switches.
It uses the same code as the Cisco IPS 4200 Series Sensors. This enables you to employ a
single management technique and makes installation, training, operation, and support
simpler and faster.
It takes only a single slot in the switch chassis. You can install up to eight Cisco Catalyst
6500 Series IDSM-2 in a single switch chassis.
It supports most TCP, IP, and Address Resolution Protocol (ARP) protocols, including
Multiprotocol Label Switching (MPLS).
5-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Differences Between Promiscuous and
Inline Mode
The table shows how the features of the Cisco Catalyst 6500 Series IDSM-2 vary depending on
your selection of inline or promiscuous mode.
Traffic visibility Has access to the data stream via VLAN Resides in the data forwarding path
access control list (VACL) capture,
Switch Port Analyzer (SPAN), or Remote
SPAN (RSPAN)
5-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Catalyst 6500 Series IDSM-2 Ports
The Cisco Catalyst 6500 Series IDSM-2 has four logical ports, which can be used as follows:
Port 1 (System0/1 in Cisco IPS Sensor Software Version 6.0): This is the TCP reset port
for promiscuous-mode IDS. This port is not used for inline IPS.
Port 2 (Gigabit Ethernet 0/2 in Cisco IPS Sensor Software Version 6.0): This is the
command and control port.
Ports 7 and 8 (Gigabit Ethernet 0/7 and Gigabit Ethernet 0/8 in Cisco IPS Sensor
Software Version 6.0): These are the monitoring ports. One of these ports can be a SPAN
destination or VACL capture port for promiscuous-mode IDS. Otherwise, ports 7 and 8 can
be configured as a port pair to support inline IPS.
For promiscuous-mode sensing, packets are directed to the monitoring ports of the Cisco
Catalyst 6500 Series IDSM-2 by using the VACL capture, SPAN, or RSPAN method of traffic
capture. SPAN provides a means of sending a copy of the traffic within the switch from a
spanned source port to a port designated as the SPAN port. The port being spanned is usually
an Ethernet port in the chassis with interesting traffic that the Cisco Catalyst 6500 Series
IDSM-2 can monitor. A copy of transmit (Tx), receive (Rx), or both Tx and Rx traffic can be
sent from the spanned port to an Cisco Catalyst 6500 Series IDSM-2 monitor port.
With SPAN enabled on a source port or VLAN, a copy of all Rx traffic, all Tx traffic, or all Rx
and Tx traffic from the SPAN source port or VLAN is sent to the SPAN destination port. On
the Catalyst 6500 Series Switch, there is a limit to the number of SPAN ports that you can
configure. For Rx SPAN sessions, you can have a maximum of two per chassis. For Tx SPAN
sessions, you can have a maximum of four sessions per chassis. For SPAN sessions that copy
and send both Rx and Tx traffic from a port, you can configure a maximum of two SPAN
sessions per chassis.
A VACL capture is a way to leverage the hardware resources of the Policy Feature Card (PFC),
which resides on the supervisor engine of the switch. With VACL capture, traffic matching
access control lists (ACLs) programmed into the PFC hardware is copied and sent to a
configured capture port. The monitor port of the Cisco Catalyst 6500 Series IDSM-2 can be
configured as the VACL capture port. Although configuring SPAN is easier, the VACL method
of sending traffic to the Cisco Catalyst 6500 Series IDSM-2 may be preferable because it
allows a subset of traffic to be copied and sent to the Cisco Catalyst 6500 Series IDSM-2. This
limits the amount of traffic that must be processed and potentially allows more traffic in the
chassis to be analyzed. Other traffic flows as usual and does not add to the load of traffic that
the Cisco Catalyst 6500 Series IDSM-2 has to process.
5-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Traffic Flow: Promiscuous
Management
Console
For promiscuous-mode operations, the Cisco Catalyst 6500 Series Switch must be configured
to capture traffic for intrusion detection analysis. If this configuration is not done, the Cisco
Catalyst 6500 Series IDSM-2 will never be able to see into the network traffic.
The figure illustrates how the Cisco Catalyst 6500 Series IDSM-2 captures and analyzes
network traffic. Traffic enters the Cisco Catalyst 6500 Series Switch destined for a host or
network. The traffic is captured off the switch backplane and sent to the Cisco Catalyst 6500
Series IDSM-2. The Cisco Catalyst 6500 Series IDSM-2 performs intrusion detection analysis
and performs the defined actions.
Destination
Traffic Source Traffic
VLAN traffic flows through
Catalyst 6500 Series
IDSM-2
Management
Console
For inline IPS, it is not necessary to configure traffic capture. When the Cisco Catalyst 6500
Series IDSM-2 and its host switch are properly configured, traffic flows through the Cisco
Catalyst 6500 Series IDSM-2 for inspection as it traverses the host switch.
5-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Time and Cisco Catalyst 6500
Series IDSM-2
The Cisco Catalyst 6500 Series IDSM-2 requires a reliable time source. All of the alerts must
have the correct Greenwich mean time (GMT) and local time stamp. Otherwise, you cannot
correctly analyze the logs after an attack.
To ensure a reliable time source, the Cisco Catalyst 6500 Series IDSM-2 must obtain its time
from one of the following:
Its host switch: By default, the Cisco Catalyst 6500 Series IDSM-2 automatically
synchronizes its clock with the GMT time on the switch. The time zone and summertime
settings, however, are not synchronized between the switch and the Cisco Catalyst 6500
Series IDSM-2. Be sure to set the time zone and summertime settings on both the switch
and the Cisco Catalyst 6500 Series IDSM-2 to ensure that the GMT time settings are
correct. The Cisco Catalyst 6500 Series IDSM-2 local time will be incorrect if its time zone
or summertime settings do not match those of the switch.
A Network Time Protocol (NTP) server: This is the recommended method. You can
configure the Cisco Catalyst 6500 Series IDSM-2 to use NTP during initialization, or you
can set up NTP on the Cisco IPS Device Manager (IDM) time panel.
Installation Tasks
Task 1: Install the Cisco Catalyst 6500 Series IDSM-2 in the switch.
Task 2: Initialize the Cisco Catalyst 6500 Series IDSM-2.
Task 3: Configure the switch for command and control access.
Task 4: Configure the interfaces.
Task 5: Configure the Cisco Catalyst 6500 Series IDSM-2 for inline
operation.
Task 6: Configure multiple virtual sensors and assign inline VLAN
pairs to them. (optional)
To enable the Cisco Catalyst 6500 Series IDSM-2 to protect your network, complete the
following tasks:
Task 1 Install the Cisco Catalyst 6500 Series IDSM-2 in the Cisco Catalyst switch. This
step involves the physical installation into the chosen slot.
Task 2 Initialize the Cisco Catalyst 6500 Series IDSM-2 by running the setup command.
Task 5 Configure the Cisco Catalyst 6500 Series IDSM-2 for inline operation by creating an
inline pair.
5-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Task 1: Installing the Cisco Catalyst 6500
Series IDSM-2
Follow these steps to install the Cisco Catalyst 6500 Series IDSM-2 in the Cisco Catalyst
switch:
Step 1 Read the Regulatory Compliance and Safety Information for the Intrusion Detection
System Appliances and Modules manual that comes with the Cisco Catalyst 6500
Series IDSM-2 before installing the Cisco Catalyst 6500 Series IDSM-2 and ensure
that you take the necessary safety precautions.
Step 2 Choose a slot for the module. The Supervisor Engine must be installed in slot 1, and
a redundant Supervisor Engine can be installed in slot 2. If you do not install a
redundant Supervisor Engine, you can install the Cisco Catalyst 6500 Series IDSM-
2 in any slot except slot 1.
Step 3 Loosen the installation screws that secure the filler plate to the desired slot. Use a
screwdriver if necessary.
Step 4 Remove the filler plate by pulling the ejector levers on both sides and sliding it out.
Step 5 Hold the module with one hand, and place your other hand under the module carrier
to support it.
Caution Do not touch the printed circuit boards or connector pins on the module.
Step 6 Place the module in the slot by aligning the notch on the sides of the module carrier
with the groove in the slot.
Step 7 Keeping the module at a 90-degree orientation to the backplane, carefully slide it
into the slot until the notches on both ejector levers engage the chassis sides.
Step 8 Using the thumb and forefinger of each hand, simultaneously pivot in both ejector
levers to fully seat the module in the backplane connector.
Step 9 Use a screwdriver to tighten the installation screws on the left and right sides of the
module.
All of the Cisco Catalyst 6500 Series Switches support hot swapping, which enables you to
install, remove, replace, and rearrange modules without turning off the system power. When the
system detects that a module has been installed or removed, it runs diagnostic and discovery
routines, acknowledges the presence or absence of the module, and resumes system operation
with no operator intervention.
If you perform a hot swap, the console displays a message informing you that a module has
been inserted. If you are connected to the Cisco Catalyst 6500 Series Switch through a Telnet
session, this message does not appear.
Note For detailed installation procedures, see the Cisco Intrusion Detection System Appliance
and Module Installation and Configuration Guide at
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_config
uration_guide_book09186a008014a234.html.
5-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Task 2: Initializing the Cisco Catalyst
6500 Series IDSM-2
Step 1: Access the Cisco Catalyst 6500 Series IDSM-2 using the
switch session command.
Step 2: Log in at the Cisco Catalyst 6500 Series IDSM-2 login
prompt with the username cisco and the default password
cisco.
Step 3: Execute the setup command to enter the configuration
dialog.
Step 4: Enter the network communication parameters.
Step 5: Reset the Cisco Catalyst 6500 Series IDSM-2.
Because the Cisco Catalyst 6500 Series IDSM-2 runs the same code as the Cisco IPS 4200
Series Sensors, the initialization of the Cisco Catalyst 6500 Series IDSM-2 is essentially the
same as that of the Cisco IPS 4200 Series Sensor. The main difference is the method of
accessing the Cisco Catalyst 6500 Series IDSM-2 command-line interface (CLI) for
initialization. Follow these steps to initialize the Cisco Catalyst 6500 Series IDSM-2:
Step 1 Use the session command to initiate a session with the Cisco Catalyst 6500 Series
IDSM-2 from the switch CLI. The following example would enable access to the
Cisco Catalyst 6500 Series IDSM-2 installed in slot 3 of the Cisco Catalyst 6500
Series Switch:
cat6k>(enable) session 3
Step 2 Log into the Cisco Catalyst 6500 Series IDSM-2 using the default username cisco
and the password cisco.
Step 3 Follow the prompts to change the default password.
Note Passwords must be at least eight characters long and must not be words found in the
dictionary.
Step 4 Run the setup command and respond to its interactive prompts to complete the
initial configuration.
Step 5 Reset the Cisco Catalyst 6500 Series IDSM-2 to enable and apply the configuration
changes.
Note The examples in this lesson use the Catalyst software command syntax. For Cisco IOS
command syntax, refer to Cisco Intrusion Prevention System Command Reference 6.0 at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_b
ook09186a00807a874d.html.
After initializing the Cisco Catalyst 6500 Series IDSM-2, you must configure the switch for
command and control access to the Cisco Catalyst 6500 Series IDSM-2. To configure the Cisco
Catalyst 6500 Series Switch to have command and control access to the Cisco Catalyst 6500
Series IDSM-2, complete the following steps:
5-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
login: cisco
Password:
Last login: Thu Mar 3 09:40:53 from 127.0.0.11
***NOTICE***
This product contains cryptographic features and is
subject to United States and local country laws
governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-
party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and
local country laws. By using this product you agree to
comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return
this product immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license to obtain
a new license or install a license.
idsm-2#
2. Ping a network IP address:
For Cisco Catalyst 6500 Series IDSM-2 inline operations, you will next configure the Cisco
Catalyst 6500 Series IDSM-2 sensing ports as trunk ports in the Cisco Catalyst operating
system software. Because the native VLAN is the same as the sole VLAN being trunked, the
traffic is 802.1Q encapsulated.
Caution The default configuration for Cisco Catalyst 6500 Series IDSM-2 ports 7 and 8 is to trunk all
of the VLANs, 1 to 4094. If you clear the Cisco Catalyst 6500 Series IDSM-2 configuration
using the clear configuration module_number command, the Cisco Catalyst 6500 Series
IDSM-2 will trunk all VLANs. If the Cisco Catalyst 6500 Series IDSM-2 is configured for inline
functionality, spanning-tree loops will likely be created and a storm will occur.
Follow these steps to configure the sensing ports on the Cisco Catalyst 6500 Series IDSM-2 for
inline operations:
Note For this example, the Cisco Catalyst 6500 Series IDSM-2 is installed in slot 3.
Step 4 Clear all of the VLANs from each Cisco Catalyst 6500 Series IDSM-2 sensing port,
except for the native VLAN on each port:
5-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
cat6k (enable)>clear trunk 3/7 1-650,652-4094
cat6k (enable)>clear trunk 3/8 1-651,653-4094
Step 5 Enable bridge protocol data unit (BPDU) spanning-tree filtering on the Cisco
Catalyst 6500 Series IDSM-2 sensing ports to prevent spanning-tree loops:
cat6k (enable)> set spantree bpdu-filter 3/7-8 enable
If you want to run the Cisco Catalyst 6500 Series IDSM-2 in inline mode, you are now ready to
configure the Cisco Catalyst 6500 Series IDSM-2 for inline operation. You can use the Cisco
IDM or the CLI to configure the Cisco Catalyst 6500 Series IDSM-2 sensing ports, ports 7 and
8, as an inline pair and assign the inline pair to the default virtual sensor.
To configure the Cisco Catalyst 6500 Series Switches and the Cisco Catalyst 6500 Series
IDSM-2 using promiscuous-mode operations, refer to
https://tools.cisco.com/qtc/config/html/configureHomeGuest.html.
Note For more information on configuring the Cisco Catalyst 6500 Series Switch running the
Cisco Catalyst operating system, see the Catalyst 6500 Series Command Reference, 8.4 at
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/cmd_ref/index.htm.
5-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Task 6: Configuring the Cisco Catalyst
6500 Series IDSM-2 for Virtualization
To configure multiple virtual sensors for your Cisco Catalyst 6500 Series IDSM-2 you must
create inline VLAN pairs using ports 7 and 8. Next, create a new virtual sensor with the
associated anomaly detection, signature, and event action rule policies. Lastly, you must assign
at least one inline VLAN pair to the virtual sensor.
For more information, refer to the “Configuring a Virtual Sensor” lesson in the “Advanced
Cisco IPS Configuration” module.
cat6k>show module
Mod Slot Ports Module-Type Model Sub Status
—- —— ——- ————————————- —————
1 1 2 1000BaseX Supervisor WS-X6K-SUP2-2GE yes ok
15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok
2 2 8 1000BaseX Ethernet WS-X6408-GBIC no ok
3 3 48 10/100BaseTX Ethernet WS-X6548-RJ-45 no ok
4 4 8 Intrusion Detection Syste WS-SVC-IDSM-2 yes ok
5 5 0 Switch Fabric Module 2 WS-X6500-SFM2 no ok
6 6 8 Intrusion Detection Syste WS-SVC-IDSM-2 yes ok
7 7 8 Intrusion Detection Syste WS-SVC-IDSM-2 yes ok
This command displays the status of all modules in the switch. Three
Cisco Catalyst 6500 Series IDSM-2 modules are installed, one in slot
4, one in slot 6, and one in slot 7. The ok state indicates that the
Cisco Catalyst 6500 Series IDSM-2 modules are online.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—5-17
Use the show module [mod | all] command to display the module status and information,
where mod is the number of the module of which you would like to see the status, and the all
option displays information for all of the modules.
The figure shows the output of the show module command. It is normal for the status to
display “other” when the Cisco Catalyst 6500 Series IDSM-2 is first installed. After the Cisco
Catalyst 6500 Series IDSM-2 completes the diagnostics routines and comes online, the status
displays “ok.” Allow up to 5 minutes for the Cisco Catalyst 6500 Series IDSM-2 to come
online.
5-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Maintaining the Cisco Catalyst 6500
Series IDSM-2
This topic explains how to upgrade and recover the Cisco Catalyst 6500 Series IDSM-2 image.
You can use the upgrade command to apply image upgrades, service packs, and signature
updates to the Cisco Catalyst 6500 Series IDSM-2. You can use the upgrade command to
upgrade your Cisco Catalyst 6500 Series IDSM-2 from Cisco IPS Sensor Software Version 5.x
to 6.0; however, the Cisco Catalyst 6500 Series IDSM-2 must be running Cisco IPS Sensor
Software Version 5.1 or higher prior to the upgrade. Using the upgrade command to apply the
Cisco IPS Sensor Software Version 6.0 major upgrade file retains your configuration, including
signature settings.
Maintenance Partition
WS-SVC-IDSM2-K9-sys-1.1-a-6.0-1-E1.bin.gz
Application Partition
The Cisco Catalyst 6500 Series IDSM-2 has two partitions, an application partition and a
maintenance partition. You can launch a full system reimage of the Cisco Catalyst 6500 Series
IDSM-2 from the maintenance partition by applying the Cisco Catalyst 6500 Series IDSM-2
system image. An installation script embedded in the Cisco Catalyst 6500 Series IDSM-2
system image performs the system reimage operation. This script is only executed when
launched from the maintenance partition.
Follow these steps to reimage the Cisco Catalyst 6500 Series IDSM-2 application partition:
Step 1 Obtain the application partition file from Cisco.com and copy it to an FTP server.
Step 3 Boot the Cisco Catalyst 6500 Series IDSM-2 to the maintenance partition. In the
example, the Cisco Catalyst 6500 Series IDSM-2 is installed in slot 3:
cat6k> (enable) reset 3 cf:1
Step 4 Log into the maintenance partition CLI:
login: guest
Password: cisco
Step 5 Enter global configuration mode and use the upgrade command to reimage the
application partition. When the application partition file has been installed, you are
returned to the maintenance partition CLI.
Step 6 Exit the maintenance partition CLI and return to the switch CLI.
Step 7 Reboot Cisco Catalyst 6500 Series IDSM-2 to the application partition:
cat6k> (enable) reset 3 hdd:1
Step 8 When the Cisco Catalyst 6500 Series IDSM-2 has rebooted, check the software
version:
5-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
sensor#show configuration
After you reimage the application partition of the Cisco Catalyst 6500 Series IDSM-2, you
must initialize the Cisco Catalyst 6500 Series IDSM-2 using the setup command.
Maintenance
Partition
Application
Partition
c6svc-mp.2-1-2.bin.gz
When there is a new maintenance partition image file, you can reimage the Cisco Catalyst 6500
Series IDSM-2 maintenance partition from the application partition. Follow these steps to
reimage the maintenance partition:
Step 1 Obtain the maintenance partition file from Cisco.com and copy it to a Secure Copy
Protocol (SCP) or FTP server.
Step 3 Initiate a session with the Cisco Catalyst 6500 Series IDSM-2 application partition
CLI. In the following example, the Cisco Catalyst 6500 Series IDSM-2 is installed
in slot 3 of the Cisco Catalyst 6500 Series Switch:
cat6k> (enable) session 3
Note Enter global configuration mode and use the upgrade command to reimage the
maintenance partition.
5-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The Cisco Catalyst 6500 Series IDSM-2 is a line card for the Cisco
Catalyst 6500 Series Switches that runs the same code as the
Cisco IPS 4200 Series Sensors and supports both inline and
promiscuous-mode operations.
Sensor initialization tasks specific to the Cisco Catalyst 6500 Series
IDSM-2 include the following:
– Assigning the command and control port to the proper VLAN
– Configuring the switch to capture traffic for intrusion detection
analysis (for promiscuous-mode operations only)
– Obtaining the time setting from either the host switch or an NTP
server
You can use the CLI upgrade command to apply the Cisco IPS
Sensor Software Version 6.0 major upgrade file to the Cisco Catalyst
6500 Series IDSM-2 and retain your configuration.
Summary (Cont.)
Overview
This lesson describes the Cisco Adaptive Security Appliance Advanced Inspection and
Prevention Security Services Module (ASA AIP-SSM). It also describes how to load Cisco
Intrusion Prevention System (IPS) software on the Cisco ASA AIP-SSM, how to initialize the
module with the setup command, and how to define an IPS modular policy on a security
appliance using the Cisco Adaptive Security Device Manager (ASDM).
Objectives
Upon completing this lesson, you will be able to initialize a Cisco ASA AIP-SSM. This ability
includes being able to meet these objectives:
Describe the Cisco ASA AIP-SSM
Upload the IPS image to the Cisco ASA AIP-SSM
Perform the initial configuration of the Cisco ASA AIP-SSM using Cisco ASDM
Configure an IPS security policy using Cisco ASDM
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA AIP-SSM Overview
This topic provides on overview of the Cisco ASA AIP-SSM.
DMZ Servers
Internet
AIP-SSM
Speed Link/Act
Cisco ASA
AIP-SSM
Ethernet Port
Power Status
There are two models of Cisco ASA AIP-SSM, the Cisco ASA AIP-SSM-10 and the Cisco
ASA AIP-SSM-20. Both models appear identical, but the Cisco ASA AIP-SSM-20 has a faster
processor and more memory than the Cisco ASA AIP-SSM-10. Only one module can populate
the slot at a time. On the front bezel of the Cisco ASA AIP-SSM, there are four LEDs and one
10/100/1000 Ethernet port. The table lists the states of the Cisco ASA AIP-SSM LEDs.
Remove power to the Cisco ASA 5500 Series Adaptive Security Appliance before installing or
removing the Cisco ASA AIP-SSM.
5-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Differences Between the Cisco ASA AIP-SSM
and Cisco IPS 4200 Series Sensors
Although the two Cisco ASA AIP-SSM modules run the same code as the Cisco IPS 4200
Series Sensor, there are some differences. These are the major differences for the Cisco ASA
AIP-SSM:
The Cisco ASA AIP-SSM automatically synchronizes its clock with the Cisco ASA
adaptive security appliance, but it does not synchronize time zone or summertime settings.
There is no clock set command on the Cisco ASA AIP-SSM.
The command and control interface is GigabitEthernet0/0.
There is only one sensing interface.
The Cisco ASA AIP-SSM does not support an alternate TCP reset interface.
It does not require two interfaces in order to be in inline mode.
There is no support for inline VLAN pairs or inline pairs.
The Cisco ASA AIP-SSM supports sensor virtualization starting with Cisco ASA Software
Version 8.0.
There is no console access.
Many Cisco ASA AIP-SSM commands are executed from the Cisco ASA adaptive security
appliance command-line interface (CLI).
Internet
AIP-SSM
Cisco ASA
IPS
AIP-SSM
Data channel
Control
channel
Software Download
and Cisco IDM
The Cisco ASA AIP-SSM supports an internal (sensing) Gigabit Ethernet and an external
(command and control) Gigabit Ethernet interface to the Cisco ASA 5500 Series Adaptive
Security Appliance main card. The internal interface is the primary IPS data path interface for
both inline and promiscuous IPS packets. An internal 10/100 Ethernet interface provides a
control channel to the Cisco ASA 5500 Series Adaptive Security Appliance main card. The
external 10/100/1000 Ethernet interface is primarily used for downloading Cisco ASA AIP-
SSM software and for Cisco ASDM access to the Cisco ASA AIP-SSM. The external
10/100/1000 Ethernet interface has an IP address configured.
5-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA AIP-SSM: Modes of Operation
DMZ Servers
Internet
AIP-SSM
DMZ
Promiscuous
Copy IDS Intrusion Detection
of Traffic
DMZ
Inline
Actual Traffic
IPS Intrusion Prevention
You can configure a Cisco ASA AIP-SSM to operate in one of two IPS modes, promiscuous or
inline. In promiscuous mode, the IPS module is not in the traffic packet flow. You can
configure a security policy, using standard rules and access control lists (ACLs) to identify
traffic that will be copied and passed to the Cisco ASA AIP-SSM. The Cisco ASA AIP-SSM
performs analysis of the traffic. A significant benefit of operating an IPS module in
promiscuous mode is that the IPS module does not affect the packet flow. There are no
performance or operational reliability issues with the forwarded traffic. The drawback to
operating in a promiscuous mode, however, is that the Cisco ASA AIP-SSM may not stop
malicious traffic from reaching its intended target. The response actions implemented by
modules in promiscuous mode are typically post-event responses and often require assistance
from other networking devices, such as routers and firewalls, to respond to an attack. The
argument can be successfully made that modules operating in promiscuous mode cannot
prevent an attack, but can only react. Most IPS products on the market today operate in
promiscuous mode.
Operating in an inline mode, the Cisco ASA AIP-SSM is inserted directly into the traffic flow.
You configure a security policy, using standard rules and ACLs, to identify traffic that should
pass directly to the Cisco ASA AIP-SSM. An inline IPS module sits in the data path, allowing
the sensor to stop attacks by dropping malicious traffic before it reaches the intended target.
The Cisco ASA AIP-SSM not only processes information on the packet “envelope” (Layer 3
and Layer 4), but also analyzes the contents, or payload, of the packets for more sophisticated
embedded attacks (Layer 3 to Layer 7). This deeper analysis allows the system to identify and
block attacks that would normally pass through a traditional firewall device.
Internet
AIP-SSM
DMZ
IPS Fail-Open
DMZ
IPS Fail-Closed
You also must configure what action to take if the Cisco ASA AIP-SSM fails. “Fail-open” or
“fail-closed” refers to what should happen to the traffic flow if the Cisco ASA AIP-SSM fails
for any reason, either a hardware or a software malfunction. With fail-open configured, if the
Cisco ASA AIP-SSM fails, traffic will continue to flow. When operating in promiscuous mode,
Cisco ASA AIP-SSM modules are typically configured for fail-open. With fail-closed enabled,
traffic will cease flowing if the Cisco IPS Sensor Software fails for any reason.
5-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Initializing the Cisco ASA AIP-SSM
Module
DMZ Servers
TFTP Internet
Server
AIP-SSM
Before the Cisco ASA AIP-SSM can start to inspect and analyze traffic, you must perform
three steps. You should verify, or load and verify, the Cisco IPS Sensor Software on the Cisco
ASA AIP-SSM. After verifying the Cisco IPS Sensor Software, you should configure the initial
setup of the Cisco ASA AIP-SSM. Lastly, you should configure an IPS policy for the Cisco
ASA 5500 Series Adaptive Security Appliance. Each of these steps is discussed in more depth
the “Configuring an IPS Security Policy” topic.
Internet
AIP-SSM
“slot 1”
You can use the show module 1 detail command to view module 1 configuration. You can
view such statistics as hardware version, software version, firmware version, and status of the
Cisco ASA AIP-SSM. The full syntax for this command is as follows:
Parameter Description
all Shows information for the Cisco ASA AIP-SSM in slot 1 and the
system in slot 0
5-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Software Version: The software version of the Cisco ASA AIP-SSM
Status: The status of the module, as follows:
— Initializing: The Cisco ASA AIP-SSM is being detected, and the control
communication is being initialized by the system.
— Up: The Cisco ASA AIP-SSM has completed initialization by the system.
— Unresponsive: The system encountered an error communicating with this Cisco
ASA AIP-SSM.
— Reloading: The Cisco ASA AIP-SSM is reloading.
— Shutting: The Cisco ASA AIP-SSM is shutting down.
— Shut Down: The Cisco ASA AIP-SSM is shut down.
— Recover: The Cisco ASA AIP-SSM is attempting to download a recovery image.
In the example in the figure, the Cisco ASA AIP-SSM present is an ASA AIP-SSM-10 model.
Notice that there is no software present on the module and the module is in the status of trying
to initialize.
You can use the hw module 1 recover command to load a recovery software image to the
Cisco ASA AIP-SSM from a TFTP server. This recovery is a two-step process. You must first
define the Cisco ASA AIP-SSM interface and TFTP server network parameters, and then
initiate the download.
Adding the configure keyword to the command enables you to define the Cisco ASA AIP-
SSM and TFTP server network parameters. In the example in the figure, the TFTP server IP
address is 10.0.31.10, and the external Cisco ASA AIP-SSM Ethernet connector IP address is
10.0.31.1. The TFTP server will download the Cisco ASA AIP-SSM-K9-sys-1.1-a-6.0-1-
E1.img image file to the Cisco ASA AIP-SSM.
The full syntax for the hw module slot recover command is as follows:
5-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
hw module slot recover Parameters
Parameter Description
slot This parameter specifies the Cisco ASA AIP-SSM slot number.
boot This parameter initiates recovery of this Cisco ASA AIP-SSM and
downloads a recovery image according to the configuration
settings. The Cisco ASA AIP-SSM then reboots from the new
image.
stop This parameter stops the recovery action and stops downloading
the recovery image. The Cisco ASA AIP-SSM boots from the
original image.
url tftp_url This parameter sets the URL for the image on a TFTP server, in
the following format: tftp://server/[path/]filename.
ip port_ip_adress This parameter sets the IP address of the Cisco ASA AIP-SSM
management interface.
gateway This parameter sets the gateway IP address for access to the
gateway_ip_address TFTP server through the Cisco ASA AIP-SSM management
interface.
vlan vlan_id This parameter sets the VLAN ID (VID) for the management
interface.
You can use the hw module 1 recover boot command to initiate the TFTP download of the
image defined in the hw module 1 recover configure command. To aid in the download, you
can enable the debug module command. A sample of a download is displayed in the example
in the figure. The full debug output was truncated to fit into the window. Downloading and
launching the image, launching the bootloader, and recovering the module takes approximately
five minutes to complete.
5-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA AIP-SSM Initialized
Internet
AIP-SSM
Mod Status
--- ------------------
1 Up
Once the Cisco ASA AIP-SSM is initialized, you can use the show module 1 command to view
the status of the module. From the Show Module 1 window, you can view the model type,
MAC address, serial number, hardware version, firmware version, and software version of the
Cisco ASA AIP-SSM. You can also determine the status of the module. In the example in the
figure, notice that the module is in the Up status and the Cisco IPS Sensor Software Version
6.0(1.22)S267.0 is loaded on the module.
Internet
AIP-SSM
asa1# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password: <cisco>
You are required to change your password immediately (password aged)
Changing password for cisco
(current) UNIX password: <cisco>
New password: <training>
Retype new password: <training>
………….
sensor#
If the Cisco ASA AIP-SSM is in the Up status, you can open a Telnet session with the module
via the security appliance command line. To initiate a Telnet session, enter the session 1
command at the CLI command prompt. Entering the session 1 command for the first time, you
are prompted for the default login prompt, username cisco, and password cisco. After entering
the default login and password, you are immediately prompted to change the password. In the
example in the figure, the password was changed to training. After changing the password, the
default sensor# command prompt is displayed. To end a session, enter exit or Ctrl+Shift+6
followed by the x key.
5-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Session Setup Default
sensor# setup
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
telnet-option disabled
ftp-timeout 300
login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
After installing and loading software on the Cisco ASA AIP-SSM, you must initialize the Cisco
ASA AIP-SSM using the setup command. With the setup command, you can configure basic
Cisco ASA AIP-SSM settings, including the hostname, IP interfaces, Telnet server, web server
port, ACLs, and time settings. The example in the figure displays the default setup parameters.
Notice that the default IP address of the external Ethernet connector is 10.1.9.201/24.
sensor# setup
………….
Continue with configuration dialog?[yes]: <yes>
Enter host name[sensor]: sensor1
Enter IP interface[10.1.9.201/24,10.1.9.1]: 10.0.1.41/24,10.0.1.1
Enter telnet-server status[disabled]:
Enter web-server port[443]:
Modify current access list?[no]: yes
Current access list entries:
No entries
Permit: 10.0.1.0/24
Permit:
………….
To communicate with Cisco ASDM, you may need to change some of the default setup
parameters such as the IP interface and current access list. Descriptions of the setup command
parameters are as follows:
Enter host name [sensor]: This is the name of the sensor. The hostname can be a string of
1 to 64 characters that matches the pattern ^[A-Za-z0-9_/-]+$. The default is “sensor.” You
receive an error message if the name contains a space or exceeds 64 alphanumeric
characters.
Enter IP interface [10.1.9.201/24, 10.1.9.1]: This is the IP address of the external Cisco
ASA AIP-SSM Ethernet interface. The default is 10.1.9.201. The default mask
corresponding to the IP address is /24, or 255.255.255.0. The default gateway address is
10.1.9.1.
Enter telnet-server status [disabled]: This enables or disables Telnet for remote access to
the sensor. Telnet is not a secure access service and, therefore, is disabled by default.
Enter web-server port [443]: This is the TCP port used by the web server. The default is
443 for HTTPS. You receive an error message if you enter a value out of the range of 1 to
65535.
Modify current access list? [no]: This is the IP address of the hosts or networks that have
permission to access the sensor. By default, there are no entries.
In the example in the figure, the IP address of the external Ethernet connector was changed to
10.0.1.41/24. Hosts on the 10.0.1.0/24 subnet are permitted to access the module.
5-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
show module 1 detail Command
You can use the show module 1 detail command to view the Cisco ASA AIP-SSM hardware
and software details, including the remote management configuration. In the example in the
figure, a device manager can access the Cisco ASA AIP-SSM through the Cisco ASA AIP-
SSM external interface using the IP address 10.0.1.41, the Cisco ASA AIP-SSM web server
port is 443, and management Transport Layer Security (TLS) or Secure Sockets Layer (SSL) is
enabled.
IPS Access
AIP-SSM
Internet
.41
Cisco
ASDM .10
After installing the Cisco ASA AIP-SSM, you initialized the module using the setup command
from the CLI. With the setup command, you configured basic sensor settings, including the
hostname, IP interfaces, web server port, ACLs, and time settings. After initializing the Cisco
ASA AIP-SSM, you can now communicate with the module using Cisco ASDM. The IPS icon
is not present on Cisco ASDM until the Cisco IPS Sensor Software is installed and configured
on the Cisco ASA AIP-SSM.
To access the Cisco ASA AIP-SSM from Cisco ASDM, click the IPS icon under the features
column. The Connecting to IPS pop-up window appears. The IP address referenced by the
Management IP Address prompt in the pop-up window refers to the IP address of the external
Ethernet interface of the Cisco ASA AIP-SSM. An option is provided in this dialog to enter a
different IP address, in case you are accessing the IPS sensor from behind a Network Address
Translation (NAT) device. Cisco ASDM can manage only the Cisco ASA AIP-SSM card in the
same chassis as the Cisco ASA adaptive security appliance from which Cisco ASDM is started.
Choose Management IP Address and then click Continue. If a route exists between the Cisco
ASDM PC and the external Ethernet interface on the Cisco ASA AIP-SSM, the Cisco ASA
AIP-SSM session login prompt should open.
You can configure intrusion prevention either using the Cisco ASDM or through the CLI.
5-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring an IPS Security Policy
This topic describes how to configure an IPS service policy on the Cisco ASA security
appliance.
The last step in the process is to create a security policy on the Cisco ASA 5500 Series
Adaptive Security Appliance. A security policy enables the Cisco ASA Adaptive Security
Appliance to prefilter, and then pass selected traffic to the Cisco ASA AIP-SSM for inspection
and analysis. This level of interaction between the Cisco ASA security appliance and Cisco
ASA AIP-SSM enables the IPS system to operate at greater efficiency. The Cisco ASA AIP-
SSM analyzes only a subset of the total bandwidth, the relevant traffic, and filters out
nonrelevant traffic. You can apply a security policy to an interface or globally to every
interface.
To create an IPS service policy from Cisco ASDM, click Security Policy and choose the
Service Policy Rules option.
The Add Service Policy Rule Wizard dialog box guides you through the addition of a new
service policy rule. You can apply the new security policy rule to a specific interface, such as
the outside or inside interface, or you can apply it globally to all of the interfaces.
Descriptions of the fields in the Create a Service Policy and Apply To group box are as follows:
Interface radio button: This applies the rule to a specific interface. This selection is
required if you want to match traffic based on the source or destination IP address using an
ACL.
Interface drop-down list: This specifies the interface to which the rule applies.
Description field: This provides a text description of the policy.
Global - Applies to All Interfaces radio button: This applies the rule to all of the
interfaces.
Policy Name box: This specifies the name of the global service policy. Only one global
service policy is allowed and it cannot be renamed.
Description box: This provides a text description of the policy.
5-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Identify a Class of Traffic
After you define a service policy, you define a traffic class. You define the criteria used by the
Cisco ASA Adaptive Security Appliance to identify which traffic is routed to the Cisco ASA
AIP-SSM for inspection and analysis. The Traffic Classification Criteria dialog box enables
you to specify the criteria that you want to use to match traffic to which the security policy rule
applies. Descriptions of the fields are as follows:
Create a New Traffic Class: This identifies the name of the new traffic class.
Description: This provides a text description of the new traffic class.
Traffic Match Criteria: The available matching criteria choices are as follows:
— Default Inspection Traffic: This uses the criteria specified in the default inspection
traffic policy.
— Source and Destination IP Address (Uses ACL): This matches traffic based on the
source and destination IP addresses, using an ACL. This selection is only available if
you apply the rule to a specific interface using an interface service policy.
— Tunnel Group: This matches traffic based on the tunnel group. If a tunnel group is
selected as one match criteria, a second criterion can also be selected.
— TCP or UDP Destination Port: This matches traffic based on the TCP or User
Datagram Protocol (UDP) destination port.
— RTP Range: This matches traffic based on a range of Real-Time Transport Protocol
(RTP) ports.
— IP DiffServ CodePoints (DSCP): This matches traffic based on the differentiated
services code point (DSCP) model of quality of service (QoS).
— IP Precedence: This matches traffic based on the IP precedence model of QoS.
— Any Traffic: This matches all traffic regardless of the traffic type.
The Source and Destination Address dialog box appears when you check the Source and
Destination IP Address (Uses ACL) check box on the Traffic Match Criteria dialog box. This
dialog window enables you to identify the traffic to which a service policy rule applies based
on the IP address of the sending or receiving host. In the example in the figure, the traffic
criteria is a packet with any source IP address from the outside destined to anywhere.
5-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Define IPS Policy
The Intrusion Prevention tab enables you to configure the IPS action to take on the selected
traffic class. This window appears only if Cisco IPS Sensor Software and Cisco ASA AIP-SSM
hardware is installed in the security appliance. The fields on the Intrusion Prevention tab are as
follows:
Enable IPS for This Traffic Flow: This check box enables or disables intrusion
prevention for the traffic flow. When this check box is selected, the other parameters in this
window become active.
Mode: This group box configures the operating mode for intrusion prevention.
— Inline Mode: This option selects Inline Mode, in which a packet is directed to IPS.
The packet might be dropped because of the IPS operation.
— Promiscuous Mode: This option selects Promiscuous Mode, in which IPS operates
on a duplicate of the original packet. The original packet cannot be dropped.
If IPS Card Fails, Then: This group box configures the action to take if the IPS card
becomes inoperable.
— Permit Traffic: This option permits traffic if the Cisco ASA AIP-SSM card fails.
— Close Traffic: This option blocks traffic if the Cisco ASA AIP-SSM card fails.
The last step is to apply the service policy rule. Click Apply to initiate the new IPS service
policy.
5-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
There are two Cisco ASA AIP-SSM models: the AIP SSM-10 and
AIP SSM-20.
If there is no Cisco IPS Sensor Software on the Cisco ASA AIP-
SSM, or if it is corrupt, use the hw module 1 recover command
to load the initial Cisco IPS Sensor Software image.
Use the setup command to configure the initial Cisco ASA
AIP-SSM setup.
A security policy enables the Cisco ASA adaptive security
appliance to prefilter, and then pass, selected traffic to the Cisco
ASA AIP-SSM for inspection and analysis.
Module Summary
The Cisco Catalyst 6500 Series IDSM-2 and Cisco ASA AIP-SSM
run the same code as the Cisco IPS 4200 Series Sensors, and they
must obtain their time setting from one of the following:
– The host device
– An NTP server
Use the Cisco ASDM or the CLI to configure a modular policy for IPS
inspection on the Cisco ASA AIP-SSM models.
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module 2 (IDSM-2) is a
high-performance module designed to run in the Cisco Catalyst 6500 Series Switches. It runs
the same image as the Cisco Intrusion Prevention System (IPS) 4200 Series Sensors, although
some features are not exactly the same.
There are two Cisco Adaptive Security Appliance Advanced Inspection and Prevention
Security Services Module (ASA AIP-SSM) models: the Cisco ASA AIP-SSM-10 and Cisco
ASA AIP-SSM-20. The features on both are identical. They run the same image as the Cisco
IPS 4200 Series Sensors and for the most part have the same features.
References
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco Intrusion Prevention System: Introduction.
http://www.cisco.com/go/ips.
Cisco Systems, Inc. Regulatory Compliance and Safety Information for the Intrusion
Detection System Appliances and Modules.
Cisco Systems, Inc. Cisco Intrusion Detection System Appliance and Module Installation
and Configuration Guide.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_confi
guration_guide_book09186a008014a234.html.
Cisco Systems, Inc. Cisco Intrusion Prevention System Command Reference 6.0.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_
book09186a00807a874d.html.
5-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Systems, Inc. Cisco Dynamic Configuration Tool.
https://tools.cisco.com/qtc/config/html/configureHomeGuest.html.
Cisco Systems, Inc. Catalyst 6500 Series Command Reference, 8.4.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/cmd_ref/index.htm.
Cisco Systems, Inc. Cisco ASA 5500 Series Adaptive Security Appliances: Introduction.
http://www.cisco.com/go/asa.
Overview
This module provides information on monitoring the health and welfare of your sensor. This
module will examine how to use the command-line interface (CLI) and the Cisco Intrusion
Prevention System (IPS) Device Manager (IDM) to install licenses and upgrade or recover the
Cisco IPS Sensor Software, in addition to other maintenance tasks.
Module Objectives
Upon completing this module, you will be able to use the CLI and the Cisco IDM to obtain
system information. You will also be able to configure the Cisco IPS sensor to allow a Simple
Network Management Protocol (SNMP) network management system (NMS) to monitor the
Cisco IPS sensor. This ability includes being able to meet these objectives:
Install and recover the Cisco IPS Sensor Software and perform service pack and signature
updates
Use the CLI and the Cisco IDM to verify sensor configuration and perform password
recovery
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
6-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Overview
This lesson explains how to maintain a Cisco Intrusion Prevention System (IPS) sensor. This
lesson discusses how to perform maintenance tasks such as updating signatures files,
recovering corrupted images, and performing password recovery.
Objectives
Upon completing this lesson, you will be able to install and recover the Cisco IPS Sensor
Software and perform service pack and signature updates. This ability includes being able to
meet these objectives:
Describe the Cisco IPS sensor licenses and how to install them
Perform a Cisco IPS sensor upgrade or recovery
Install service pack and signature updates
Perform a password recovery on a Cisco IPS sensor
Restore a Cisco IPS sensor to its default configuration
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Understanding Cisco IPS Licensing
This topic describes the different Cisco IPS sensor licenses and how to install them.
Although the Cisco IPS sensor can function without the license
key, you must have a license key to obtain signature updates.
To obtain a license key, you must have a Cisco Services for IPS
service contract.
Contact your reseller, or Cisco service or product sales to
purchase a contract.
Sixty-day trial licenses are available when there are problems with
your contract.
Although the Cisco IPS sensors function without a license key, you must have a license key to
obtain signature updates. To obtain a license key, you must have a Cisco Services for IPS
service contract. Contact your reseller, or Cisco service or product sales to purchase a contract.
Trial license keys are also available. If you cannot get your Cisco IPS sensor licensed because
of problems with your contract, you can obtain a 60-day trial license that supports signature
updates that require licensing. You can obtain a license key from the Cisco.com licensing
server, which is then delivered to the sensor. Or, you can update the license key from a license
key provided in a local file. Go to
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=137 to apply for
a license key. This requires a Cisco.com account.
You must know your Cisco IPS device serial number to obtain a license key. To find the Cisco
IPS sensor serial number use Cisco IPS Device Manager (IDM) and choose Configuration >
Licensing, or enter the command show version at the command-line interface (CLI).
You can view the status of the license key on the Licensing panel in Cisco IDM. Whenever you
start Cisco IDM, you are informed of your license status—whether you have a trial, invalid, or
expired license key. With no license key, an invalid license key, or an expired license key, you
can continue to use Cisco IDM but you cannot download signature updates.
When you enter the CLI, you are also informed of your license status. For example, you receive
the following message if there is no license installed:
6-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
***LICENSE NOTICE***
There is no license key installed on the system.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
You will continue to see this message until you install a license key.
Cisco IPS 4200 Series Sensors require Cisco Services for IPS
service contracts to install signature updates.
The Cisco Catalyst 6500 Series IDSM-2 requires the Cisco
Services for IPS service contract for signature updates even when
a SMARTnet contract exists.
Cisco ASA 5500 Series Adaptive Security Appliances also require
the Cisco Services for IPS service contract for signature updates
even when a SMARTnet contract exists.
When you purchase the following Cisco IPS sensor products, you must also purchase a Cisco
Services for IPS service contract:
Cisco Intrusion Detection System (IDS) 4215 Sensor
Cisco IPS 4240 Sensor
Cisco IPS 4255 Sensor
Cisco IPS 4260 Sensor
Cisco Catalyst 6500 Series Intrusion Detection System Services Module 2 (IDSM-2)
For Cisco ASA 5500 Series Adaptive Security Appliances, if you purchase one of the following
Cisco ASA adaptive security appliance products that do not contain IPS, you must purchase a
SMARTnet contract:
Note SMARTnet provides operating system updates, access to Cisco.com, access to the Cisco
Technical Assistance Center (TAC), and hardware replacement on the next business day on
site.
6-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA5540-BUN-K9 Adaptive Security Appliance
If you purchased one of the following Cisco ASA 5500 Series Adaptive Security Appliances
that ships with the Cisco Adaptive Security Appliance Advanced Inspection and Prevention
Security Services Module (ASA AIP-SSM) installed, or if you purchased a Cisco ASA AIP-
SSM to add to your Cisco ASA adaptive security appliance product, you must purchase the
Cisco Services for IPS service contract:
Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to
Cisco.com, access to Cisco TAC, and hardware replacement on the next business day on
site.
For example, if you purchased a Cisco ASA 5510 Adaptive Security Appliance and then later
wanted to add IPS capabilities and purchased a Cisco ASA AIP-SSM-10-K9, you must now
purchase the Cisco Services for IPS service contract.
Once you have the Cisco Services for IPS service contract, you must also have your product
serial number to apply for the license key.
Note You must have a Cisco Services for IPS service contract before you can apply for a license
key.
Note You must have the correct Cisco IPS sensor device serial number because the license key
functions only on the device with that number. Your Cisco IPS Signature Subscription
Service license key is sent by e-mail to the e-mail address that you specify when applying
for the license key.
Step 3 Save the license key to a system that has a web server, FTP server, or Secure Copy
Protocol (SCP) server.
Step 4 Log into the CLI using an account with administrator privileges.
6-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
copy Command
sensor(config)#
Step 5 Copy the license key to the sensor using the command copy source-url
license_file_name license-key and provide a password if prompted. Here is an
example:
sensor# copy ftp://administrator@10.0.1.12/license.lic license-key
Password: *******
Configuration
Cisco
Connection
Online
Licensing
You can also use the Cisco IDM to obtain and install a new license. When you launch the Cisco
IDM, a dialog box appears informing you of your license status. The status can be trial, invalid,
or expired. With no license key, an invalid license key, or an expired license key, you can
continue to use the Cisco IDM, but you cannot download signature updates.
You can also view the current status of your license, its expiration date, and your sensor serial
number on the Cisco IDM Licensing panel. You must know your sensor serial number to obtain
a license. If the key is invalid, no expiration date is displayed.
Note The CLI show version command also displays the serial number.
Follow these steps to obtain a new license from the Cisco IDM:
Step 3 Click Yes to continue. If you selected the Cisco Connection Online radio button, a
Status window opens informing you that the sensor is attempting to connect to
6-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco.com. When the license has been obtained, an Information dialog box appears
confirming that the license has been updated.
6-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Upgrading the Sensor
You can use the upgrade command to apply image upgrades, service
packs, and signature updates to your sensor.
The upgrade command upgrades the sensor application and recovery
images.
You can use the upgrade command to upgrade from Cisco IPS Sensor
Software Version 5.x to Version 6.0.
To upgrade from Cisco IPS Sensor Software Version 5.x to 6.0, the
sensor must already be running Cisco IPS Sensor Software Version 5.1
or higher.
When you use the upgrade command to apply the Cisco IPS Sensor
Software Version 6.0 major upgrade file, your configuration, including
signature settings, is retained.
The Cisco IPS Sensor Software Version 6.0 major upgrade file is the
same for all sensor appliances.
Example: IPS-K9-6.0-1-E1.pkg
You can use the upgrade command to apply image upgrades, service packs, and signature
updates to any of the following Cisco IPS sensor models:
Cisco IDS 4215 Sensor
Cisco IPS 4240 Sensor
Cisco IDS 4250 XL Sensor
Cisco IPS 4255 Sensor
Cisco IPS 4260 Sensor
The upgrade command upgrades the sensor application and recovery images. You can use the
upgrade command to upgrade your sensor from Cisco IPS Sensor Software Version 5.x to
Cisco IPS Sensor Software Version 6.0; however, the sensor must be running Cisco IPS Sensor
Software Version 5.1(4) or higher prior to the upgrade. Using the upgrade command to apply
the Cisco IPS Sensor Software Version 5.0 major upgrade file retains your configuration,
including signature settings.
upgrade source-url
sensor(config)#
upgrade ftp://administator@10.0.1.12/IPS-K9-6.0-1-
E1.pkg
You can install a Cisco IPS Sensor Software update by executing the upgrade command from
the configuration prompt of the sensor. You can enter all of the necessary file location (URL)
information and the username in one command-line entry.
Note You cannot downgrade the Cisco IPS Sensor Software Version 6.0(1) major update using
the downgrade command. You must reimage the sensor using a Cisco IPS Sensor
Software Version 5.1(4) system image or recovery CD. When you reimage the sensor, this
results in the loss of any configuration changes that you made.
Use the following guidelines when specifying the location of the update file:
FTP: This is the source URL for an FTP network server. The syntax for this prefix can be
one of the following:
— ftp:[[//username@]location]/relativeDirectory/filename
— ftp:[[//username@]location]//absoluteDirectory/filename
SCP: This is the source URL for the SCP network server. The syntax for this prefix can be
one of the following:
— scp:[[//username@]location]/relativeDirectory]/filename
— scp:[[//username@]location]//absoluteDirectory]/filename
HTTP: This is the source URL for a web server. The syntax for this prefix is as follows:
— http:[[//username@]location]/directory]/filename
HTTPS: This is the source URL for a web server. The syntax for this prefix is as follows:
— https:[[//username@]location]/directory]/filename
6-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note Before using the HTTPS protocol, you must configure a Transport Layer Security (TLS)
trusted host.
A full system reimage is a means of upgrading or recovering the application and recovery
images. To perform a full system reimage, you must use the system image file specific to your
sensor platform. You lose your entire configuration settings when you perform a full system
reimage.
6-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Full System Reimage: Cisco IDS 4235
and 4250 XL Sensors
You can perform a full system reimage of the following sensors by using the Cisco IPS Sensor
Software Version 6.0(1) Recovery CD:
Cisco IDS 4235 Sensor
Cisco IDS 4250 XL Sensor
Step 1 Connect to the sensor with a keyboard and monitor or a serial connection.
You can use ROM monitor, a boot utility on the sensor, to transfer
system images onto the following sensors:
– Cisco IDS 4215 Sensor
– Cisco IPS 4240 Sensor
– Cisco IPS 4255 Sensor
– Cisco IPS 4260 Sensor
Cisco IPS Sensor Software Version 6.0 system image files
contain the “sys” identifier. Example: IPS-4240-K9-sys-1.1-a-6.0-
1-E1.img
Because the Cisco IDS 4215, Cisco IPS 4240, Cisco IPS 4255 and Cisco IPS 4260 Sensors
have no CD-ROM drive, a full system reimage is done over the network using TFTP. You can
also use ROM monitor, a boot utility on the sensor, to transfer system images onto these
sensors.
6-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using ROM Monitor for Full System
Reimage
Follow these steps to perform a full system reimage over the
network:
1. Place the system image file for your sensor platform on a TFTP server.
2. Verify that you can access the TFTP server from the network connected to
your sensor Ethernet port.
3. Reboot the sensor.
4. Escape the boot sequence.
5. Verify that the Cisco IPS sensor is running BIOS version 5.1.7 or later and
ROM monitor version 1.4 or later.
6. Change the interface port number if necessary.
7. Specify the IP address of the sensor.
8. Specify the IP address of the TFTP server.
9. Specify the IP address of the sensor default gateway.
10. Specify the path and filename on the TFTP server.
11. Begin the TFTP download.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—6-13
Follow these steps to use ROM monitor to install the system image onto the sensor:
Step 1 Download the system image file for your sensor platform to the TFTP root directory
of a TFTP server that is accessible from your sensor. A system image file has the
.img extension and contains the platform number in the name.
Step 2 Verify that you can access the TFTP server from the network connected to your
sensor Ethernet port.
Step 3 Log into the sensor and reboot it:
sensor# reset
Step 4 Press Ctrl-R within 5 seconds after the following message is displayed during
bootup:
Evaluating Run Options...
Note If you are applying a system image to a Cisco IPS 4240 or Cisco IPS 4255 Sensor, press
Break or Esc within 10 seconds instead of pressing Ctrl-R within 5 seconds.
Step 5 Examine the console display information to verify that the sensor is running BIOS
version 5.1.7 or later and ROM monitor version 1.4 or later. If not, you must
upgrade the Cisco IDS 4215 Sensor BIOS to version 5.1.7 and the ROM monitor to
version 1.4, using the upgrade utility file IDS-4215-bios-5.1.7-rom-1.4.bin, available
for download at http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-firmware.
Step 6 If necessary, change the interface port number to be used for the TFTP download
when the ROM monitor prompt is displayed. The default interface port number used
for TFTP downloads on the Cisco IPS 4240 and 4255 Sensors is Management0/0,
which corresponds with the Cisco IPS 4240 and 4255 Sensor management
interfaces. The default interface port number used for TFTP downloads on the Cisco
Note Although the information that must be entered is the same for the Cisco IDS 4215, Cisco
IPS 4240, and Cisco IPS 4255 Sensors, the format for the Cisco IDS 4215 Sensor is
different from that of the newer platforms. For example, the format for entering the port
number on the Cisco IDS 4215 Sensor is rommon> interface port_number, while the
format for the Cisco IPS 4240 and Cisco IPS 4255 Sensors is rommon> PORT=. For this
example, the format of the Cisco IDS 4215 Sensor is used.
Note On the Cisco IPS 4240 and Cisco IPS 4255 Sensors, replace the keyword file with the
keyword IMAGE.
Caution If you remove power from the sensor during the update process, the upgrade can become
corrupt.
6-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
For Microsoft Windows: Tftpd32 version 2.0
For UNIX: Tftp-hpa series
In case your Cisco IPS sensor application image becomes corrupted, you can recover it by
using one of two methods.
You can use the recover command. This method retains your sensor IP address, subnet
mask, and default gateway settings.
You can choose the Cisco IPS recovery image from the boot menu during bootup. This
method also retains your sensor IP address, subnet mask, and default gateway settings and
is useful if you are unable to access the CLI.
Note You can also recover sensor platforms that support a CD drive using the Cisco IPS Sensor
Software Version 6.0(1) Recovery CD.
6-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
recover Command
sensor(config)#
recover application-partition
Cisco IPS
Recovery
You can perform an application reimage on the following sensors using the boot menu:
Cisco IDS 4215 Sensor
Cisco IPS 4240 Sensor
Cisco IDS 4250 XL Sensor
Cisco IPS 4255 Sensor
Cisco IPS 4260 Sensor
Follow these steps to perform an application reimage using the boot menu option during reboot:
Step 1 Enter reset at the privileged EXEC prompt to reboot the sensor.
sensor# reset
Step 2 Answer yes when asked if you want to continue.
Warning: Executing this command will stop all applications and
reboot the node. Continue with reset? [] yes
Step 3 When the Grand Unified Bootloader (GRUB) menu is displayed, press the Down
Arrow key to choose Cisco IPS Recovery.
6-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The Recovery Image File
You can upgrade the recovery image on your sensor with the
most recent version so that it is ready if you need to recover the
application image.
Recovery images are only generated for major and minor
software releases, not for service packs or signature updates.
The recovery image file can be recognized by the “r” identifier in
its name.
Example: IPS-K9-r-1.1-a-6.0-1.pkg
You can use the Cisco IPS Software Sensor Version 6.0(1)
recovery image file to upgrade the recovery image of all sensor
platforms.
The recovery image can be applied to the sensor by using the
upgrade command.
You can upgrade the recovery image on your sensor with the most recent version so that it is
ready if you need to recover the application image. Recovery images are generated only for
major and minor software releases, not for service packs or signature updates. The recovery
image file can be recognized by the “r” identifier in its name. For example, in the file name
IPS-K9-r-1.1-a-6.0-1.pkg, the “r-1.1” indicates that this is a recovery image and specifies the
recovery image version. Like other image files, the recovery image can be applied to the sensor
by using the upgrade command.
You can use the Cisco IPS Sensor Software Version 6.0 recovery image file with the CLI
upgrade command to upgrade the recovery image of the following sensors:
Cisco IDS 4215 Sensor
Cisco IPS 4240 Sensor
Cisco IDS 4250 XL Sensor
Cisco IPS 4255 Sensor
Cisco IPS 4260 Sensor
Note Cisco IPS Sensor Software Version 6.0 files are available through a Cisco.com download.
New attacks that pose a threat to networks are discovered every day. Cisco releases regular
signature updates and critical updates for major attack events to enable the sensor to detect
these attacks. Cisco also releases service packs to improve the intrusion prevention capabilities
of the Cisco IPS sensors.
Signature updates are released independently from the other software files, such as major
upgrades, minor upgrades, and service packs, and they have their own versioning scheme.
Note Beginning with Cisco IPS Sensor Software Version 5.0, signature updates include all
signatures since the initial signature release, in addition to the new signatures being
released.
Cisco has partnered with Trend Micro to provide an additional signature update service. You
can subscribe to this service, in which Trend Micro pushes signature updates to sensors within
two hours of signature creation. Your sensor must be properly licensed to accept the signature
updates.
Trend Micro updates signatures by adding or modifying their set of signatures in the signature
definition service configuration. Trend Micro is allotted a block of signatures in the
configuration. Trend Micro does not change the settings for signatures that are outside of their
block. The sensor supports partial configuration changes to allow Trend Micro to modify only
their part of the configuration. Trend Micro can push update signatures independently from
normal signature updates.
6-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
You can install service pack and signature updates from the supported management consoles or
from the CLI. You can also uninstall the most recent update if necessary.
Note To remove the last applied signature update or service pack, use the downgrade command
in global configuration mode.
IPS-K9–type–w.x-y.pkg
Update Extension
Type
Example: IPS-K9-sp-6.0-2.pkg
A Cisco IPS service pack file name has the following parts:
IPS: This specifies the product line.
K9: This indicates strong cryptography.
Update type: This indicates whether the file contains a major version upgrade, a minor
version upgrade, or a service pack. The package type for a service pack is “sp.”
Software version: The software version consists of numeric values representing the major
release, the minor upgrade, and the service pack. The major release number and minor
upgrade number are separated by a decimal. The minor upgrade number and the service
pack number are separated by a hyphen (-).
Extension: The filename extension is .pkg.
6-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Update Files
Signature
Update Extension
Version
IPS-sig–Sx-req-w.pkg
Minimum
Requirement
Designator
Example: IPS-sig-S267-req-E1.pkg
A Cisco IPS signature update file name has the following parts:
IPS: This specifies the product line.
Sig: This specifies the update type, which indicates the type of content contained in the file.
The package type “sig” indicates that this is a signature update.
S: This is the signature version designator.
x: This is the signature update version.
Req: This is the minimum requirement designator.
Extension: This is the filename extension.
Configuration
URL
Username
Update
Sensor Password
Browse
Local
Update is Located Local File
on a Remote Path
Update Is Update
Server and Is
Located on Sensor
Accessible by the
Sensor This Client
From the Cisco IDM Update Sensor panel, you can immediately apply service pack and
signature updates. The sensor does not download service pack and signature updates from
Cisco.com. You must download the service pack and signature updates from Cisco.com to an
FTP, SCP, HTTP, or HTTPS server and then configure the sensor to download them from your
server.
Follow these steps to immediately apply a service pack and signature update:
Step 1 Click Configuration and choose Update Sensor. The Update Sensor panel is
displayed.
Step 2 Choose one of the two options and complete the fields it activates.
Update Is Located on a Remote Server and Is Accessible by the Sensor:
Supply the following information for this option:
— URL: Select the type of server on which the file is stored from the drop-
down menu and enter the URL where the update can be found in the
URL field. The syntax for each type of server is as follows:
FTP:
ftp://location/relative_directory/filename
or
ftp://location//absolute_directory/filename
HTTPS:
https://location/directory/filename
Note Before using the HTTPS protocol, configure a TLS trusted host.
6-30 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SCP:
scp://location/relative_directory/filename
or
scp://location/absolute_directory/filename
HTTP:
http://location/directory/filename
Note The sensor applications are stopped while the update is applied. If you are applying a
service pack, the installer automatically reboots the sensor.
Configuration
Enable Auto
Update
Auto Update
Schedule
Remote
Server
Settings
Hourly Daily
Apply
You can configure automatic updates to have service pack or signature updates that reside on a
local FTP or SCP server downloaded and applied to your sensor. The sensor does not
automatically download service pack and signature updates from Cisco.com. You must
download the service pack or signature updates from Cisco.com to your FTP or SCP server and
then configure the sensor to download them from your server.
Step 2 Check the Enable Auto Update check box to enable automatic updates. If you do
not check Enable Auto Update, all of the fields are disabled and cleared. You cannot
toggle this on or off without losing all of the other settings.
Step 3 Enter the IP address of the remote server that contains the updates in the IP Address
field within the Remote Server Settings.
Step 4 Choose FTP or SCP from the File Copy Protocol drop-down menu to identify the
protocol used to connect to the remote server.
Step 5 Enter the path to the update in the Directory field. The path cannot exceed 128
characters.
Step 6 Enter the username to use when logging into the remote server in the Username
field. A valid value for the username is 1 to 16 characters.
Step 7 In the Password field, enter the password for the username that you specified. A
valid password contains 1 to 16 characters.
Step 9 Choose one of the following Frequency ratio buttons within the Schedule settings:
6-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Hourly: This enables the sensor to check for an update at the hourly interval that
you specify. If you select this option, enter a value from 1 to 8760 in the
Every___Hours field. For example, if you enter 5, every 5 hours the sensor
looks at the directory of files on the server. If there is an available update
candidate, it is downloaded and installed. Only one update is installed per cycle,
even if there are multiple available candidates. The sensor determines the latest
update that can be installed in a single step and installs that file.
Daily: This enables you to specify the days of the week on which updates are
performed. Check the check boxes for the day or days on which you want the
sensor to check for and download available updates.
Step 10 Enter, in 24-hour time, the time at which you want the updates to start in the Start
Time fields.
Note To remove your changes, click Reset. Reset refreshes the panel by replacing any edits that
you made with the previously configured value.
Step 11 Click Apply to apply your changes to the sensor and save them.
The following are guidelines for installing and deploying Cisco IPS Sensor Software updates:
Obtain a license for downloading signature updates.
Obtain a Cisco.com password for accessing the Software Center and downloading updates.
Check Cisco.com regularly for the latest signature updates and service packs. Signature
updates, which also contain Network Security Database (NSDB) updates, occur
approximately every two weeks, and service packs are made available as the product is
upgraded.
Read the release notes to determine if the sensor meets the requirements. The release notes
contain caveats and known issues that can arise when the update is installed.
Download update files to an FTP, SCP, HTTP, or HTTPS server on your network.
Signature update files and service pack files are the same for all of the sensor platforms.
Note It is strongly recommended that you download and apply all of the service pack updates as
they become available. You can find service packs, signature updates, readme files, and
other Cisco IPS Sensor Software updates in the Software Center on Cisco.com at
http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/.
Caution Never reboot the sensor during an installation process. Doing so will leave the sensor in an
unknown state and may require that the sensor be reimaged.
6-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Password Recovery
This topic explains how to use the new password recovery feature in the various Cisco IPS
sensor products.
Password Recovery
For most Cisco IPS sensor platforms, you can now recover the password on the sensor rather
than using the service account or reimaging the sensor. This section describes how to recover
the password for the various Cisco IPS sensor platforms.
Password recovery implementations vary according to Cisco IPS sensor platform requirements.
Password recovery is implemented only for the Cisco administrative account and is enabled by
default. The Cisco IPS sensor administrator can then recover user passwords for other accounts
using the CLI. The Cisco user password reverts to “cisco” and must be changed after the next
login.
6-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Password Recovery: Cisco IPS 4200
Series Sensor
Password recovery
occurs from the
GRUB menu.
To use this menu, the Cisco IPS
user must have a Clear Password
direct serial (cisco)
connection to the
Cisco IPS 4200
Series Sensor.
The GRUB menu
appears during
bootup.
For the Cisco IPS 4200 Series Sensors, you can find password recovery in the GRUB menu,
which appears during bootup. When the GRUB menu appears, press any key to pause the boot
process.
Note You must have a terminal server or direct serial connection to the sensor to use the GRUB
menu to recover the password.
The password is reset to “cisco.” You can change the password the next time that you log into
the CLI.
The Cisco IPS 4240 and 4255 Sensors also support password
recovery from the ROM monitor CLI.
To access the ROM monitor CLI, reboot the sensor from a
console connection and interrupt the boot process by pressing the
Esc or Ctrl-R (terminal server) or send a Break command
(direct connection).
The ROM monitor commands to reset the password are:
– confreg=0x7
– boot
For the Cisco IPS 4240 and Cisco IDS 4250 XL Sensors, you can use the ROM monitor to
recover the password. To access the ROM monitor CLI, reboot the sensor from a terminal
server or direct connection and interrupt the boot process.
Follow these steps to recover the password using the ROM monitor CLI:
Step 2 Interrupt the boot process by pressing Esc or Ctrl-R (terminal server) or send a
Break command (direct connection).
The boot code either pauses for 10 seconds or displays something similar to one of the
following:
Password: ********
Warning: Executing this command will apply a major version
upgrade to the application partition. The system may be
rebooted to complete the upgrade.
6-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Password Recovery: Cisco ASA
AIP-SSM
ciscoasa(config)#
Use the hw-module module slot_number password-reset command to reset the Cisco
Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module
(ASA AIP-SSM) password to the default of “cisco.” The Cisco ASA 5500 Series Adaptive
Security Appliance sets the ROM monitor configuration register bits to 0x7 and then reboots
the sensor. When the ROM monitor configuration register bits are set to 0x7, the GRUB menu
defaults to option 2 (clear password).
If the module in the specified slot has a Cisco IPS Sensor Software Version that does not
support password recovery, the following error message is displayed:
ERROR: the module in slot <n> does not support password recovery.
Note To recover the password on a Cisco ASA AIP-SSM, you must be running Cisco ASA
Software Version 8.0 or later.
To recover the password for the Cisco Catalyst 6500 Series IDSM-2, you must perform a
system image upgrade, which installs a special password recovery image instead of a typical
system image. This upgrade resets only the password—all of the other configuration remains
intact. You must have administrative access to the Cisco Catalyst 6500 Series Switch to recover
the password. You boot to the maintenance partition and execute the upgrade command to
install a new image. Use the following commands:
For Cisco Catalyst operating system software:
— reset module_number cf:1
— session module_number
For Cisco IOS Software:
— hw-module module module_number reset cf:1
— session slot slot_number processor 1
The only program that you can use for this upgrades is FTP. Ensure that you put the password
recovery image file (WS-SVC-IDSM2-K9-a-5.2-password-recovery.bin.gz) on an FTP server.
Note For the full procedures, refer to Configuring the Cisco Intrusion Prevention System Sensor
Using the Command Line Interface 6.0: Upgrading, Downgrading, and Installing System
Images at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_ch
apter09186a00807517ba.html#wp1121140.
6-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Password Recovery
The host
component can
be configured to
allow or deny
password
recovery.
Allow
Use CLI or Password
Cisco IDM to Recovery
disable
password
recovery.
The ability to perform password recovery is enabled by default. You can disable this feature
using the CLI or Cisco IDM.
Note If you try to recover the password on a sensor on which password recovery is disabled, the
process proceeds with no errors or warnings; however, the password is not reset.
Follow these steps to disable or enable password recovery using the Cisco IDM:
Step 1 Log into the Cisco IDM using an account with administrator privileges.
Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.
To re-enable the password recovery feature, check the Allow Password Recovery
check box.
You can ignore this message. Only the password is reset when you use the specified
password recovery image.
Use the show settings | include password command to verify that password recovery is
enabled. Follow these steps to verify that password recovery is enabled:
6-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
sensor(config-hos)# show settings | include password
password-recovery: allowed <defaulted>
sensor(config-hos)#
Restore Restore
Defaults Defaults
When you restore the default configuration of your sensor, your network settings are lost and
you are disconnected from the sensor.
Step 1 Click Configuration and choose Restore Defaults. The Restore Defaults panel is
displayed.
Step 2 Click Restore Configuration Defaults to restore the default configuration. The
Restore Defaults window opens.
Step 3 Click Yes to begin the restore defaults process. An Information window displays the
following message:
Your connection to Sensor is closed. IDM will now exit.
Note From the CLI, enter erase current-config to reset the sensor back to its default.
6-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Backing Up and Restoring
Configurations
sensor#
copy [/erase] source-url destination-url
Note See the document Configuring the Cisco Intrusion Prevention System Sensor Using the
Command Line Interface 6.0 at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_bo
ok09186a0080751759.html for the complete copy command syntax.
Follow these steps to back up and restore the configuration of the sensor:
Step 1 Enter the following command at the privileged EXEC prompt to save the current
configuration in a backup file:
sensor# copy current-config ftp://ip_address/file_name
Step 2 Choose one of the following:
Enter the following command to merge the backup configuration into the
current configuration:
sensor# copy ftp://ip_address/file_name current-config
Enter the following command to overwrite the current configuration with the
backup configuration:
Summary
6-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Overview
This lesson provides information on how to monitor the health and welfare of your sensor.
There are a variety of tools that you can use to examine the status of your Cisco Intrusion
Prevention System (IPS) sensors, including the command-line interface (CLI), the Cisco IPS
Device Manager (IDM), the Cisco Security Manager, and Simple Network Management
Protocol (SNMP).
Objectives
Upon completing this lesson, you will be able use the CLI and the Cisco IDM to verify sensor
configuration. This ability includes being able to meet these objectives:
Explain the various CLI commands used for sensor monitoring
Describe the Cisco IDM as a tool to perform sensor monitoring
Describe Cisco Security Manager as a tool to perform sensor monitoring
Describe SNMP as a tool to perform sensor monitoring
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using the CLI to Monitor the Sensor
This topic explains how to use the CLI to display information about your sensor.
The sensor CLI contains a number of commands that enable you to obtain valuable information
about your sensor and can be very useful for troubleshooting. These commands can provide the
following information:
Cisco Product Evolution Program (PEP) information
Service statistics
Interface statistics
Details about traffic traversing an interface
Technical support information
6-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying PEP Information
sensor#
show inventory
Cisco devices, including intrusion prevention sensors, have a Unique Device Identifier (UDI)
that enables you to easily and efficiently manage certified hardware versions within your
network. These are characteristics of the UDI:
It is guaranteed to be unique for all Cisco devices.
It can be retrieved via the CLI or an SNMP MIB.
Methods of retrieving it are platform independent.
It includes product version traceability.
It is a deliverable of Cisco PEP, a new architecture baseline for all Cisco products.
It is made of up of the following three values:
— Product identifier (PID): This indicates a product that can be ordered by a
customer. These items are used by the customer, sales, customer service, Global
Product Services, and manufacturing to transact an order for a certain product. The
naming convention is alphanumeric.
— Version identifier (VID): This indicates the version of a product identifier. The
naming convention is a three-character field comprising the letter “v” followed by a
two-character number starting at 00 and incrementing until the product version
reaches 99. The “v” character may be uppercase or lowercase, for example, v03 or
V21.
— SN: This is the product serial number.
You can retrieve Cisco PEP information from a Cisco IPS sensor only if the Cisco PEP
information is stored in the sensor. This information is currently stored only in the Cisco IPS
4240 and 4255 Sensors. Therefore, the show inventory command is currently available only on
these sensors.
6-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Service Statistics
sensor#
show statistics { analysis-engine | authentication |
denied-attackers | event-server | event-store| host |
logger | network-access | notification | sdee-server
| transaction-source |virtual-sensor [name]| web-
server } [ clear ]
Displays statistics for the specified option
Statistics provide a snapshot of the current internal state of sensor services; therefore, they can
be very useful for troubleshooting. You can use the show statistics command to display
statistics. The statistics content is specific to the service that provides it.
Parameter Description
6-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Interface Statistics
sensor#
show interfaces {fastethernet | gigabitethernet |
management } [slot/port]
You can use the show interfaces command to display statistics for all sensor interfaces. You
can display statistics simultaneously for all interfaces or for all interfaces of a specified type.
You can also display statistics for a specific interface. The clear option clears statistics that can
be reset.
Parameter Description
fastethernet This parameter displays the statistics for the Fast Ethernet
interfaces.
gigabitethernet This parameter displays the statistics for the Gigabit Ethernet
interfaces.
slot/port Refer to the appropriate hardware manual for slot and port
information.
6-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Learned Operating Systems
sensor#
show os-identification [name] learned [ip-address]
To display operating system IDs associated with the IP addresses learned by the sensor through
passive analysis, use the show os-identification command in privileged EXEC mode. The
syntax for the show os-identification command is show os-identification [name] learned [ip-
address].
Parameter Description
name (Optional) This is the name of the virtual sensor configured on the
sensor. The show operation is restricted to learned IP addresses
associated with the identified virtual sensor.
ip-address (Optional) This is the IP address to query. The sensor reports the
operating system mapped to the specified IP address.
If you specify the name of a virtual sensor, only the operating system ID for the specified
virtual sensor is displayed; otherwise, the learned operating system ID for all virtual sensors are
displayed. If you specify an IP address without a virtual sensor, the output displays all virtual
sensors containing the requested IP address.
The following example displays the operating system ID for a specific IP address:
sensor# show os-identification learned 10.1.1.12
Virtual Sensor vs0:
10.1.1.12 windows
The following example displays the operating system ID for all of the virtual sensors:
6-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Anomaly Detection
Knowledge Base
sensor#
Use the show ad-knowledge-base command to display the anomaly detection knowledge base
files available for a virtual sensor. The syntax for the command is show ad-knowledge-base
virtual-sensor files.
Parameter Description
The following example displays the knowledge base files available for all of the virtual sensors.
The file 2007-Mar-16-10_00_00 is the current knowledge base file loaded for virtual sensor
vs0.
sensor# show ad-knowledge-base files
Virtual Sensor vs0
Filename Size Created
initial 84 04:27:07 CDT Wed Jan 28 2007
* 2006-Jan-29-10_00_01 84 04:27:07 CDT Wed Jan 29 2007
2006-Mar-17-10_00_00 84 10:00:00 CDT Fri Mar 17 2007
2006-Mar-18-10_00_00 84 10:00:00 CDT Sat Mar 18 2007
If you do not provide the name of the virtual sensor, the knowledge base files are displayed for
all of the virtual sensors.
6-58 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Technical Support
Information
sensor#
show tech-support[page][password][destination-url
destination-url]
The show tech-support command captures all status and configuration information on the
sensor. The command allows the information to be transferred to a remote system. The output
includes HTML-linked output from the following commands and can be very large:
show interfaces
show statistics network-access
cidDump
The cidDump command captures a large amount of information, including the process list, log
files, operating system information, directory listings, package information, and configuration
files. This information is needed by developers to troubleshoot problems.
Parameter Description
page (Optional) This parameter causes the output to display one page
of information at a time. Use the Enter key to display the next line
of output or use the Spacebar to display the next page of
information. If page is not used, the output is displayed without
page breaks.
destination-url (Optional) This is the destination for the report file. If a URL is
provided, the output will be formatted as an HTML file and sent to
the specified destination; otherwise the output is displayed on the
screen.
The exact format of the destination URL varies according to the file. You can select a filename,
but it must be terminated by .html.
6-60 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using the Cisco IDM to Monitor the Sensor
This topic explains how to use the Cisco IDM to run a diagnostics report and view statistics and
system information.
Support
Information Monitoring
Generate
Diagnostics Report
Report
You can obtain diagnostics information about your sensors for troubleshooting purposes by
running a diagnostics report. Complete the following steps to run a diagnostics report.
Caution After you start the diagnostics process, do not click any other options in the Cisco IDM or
leave the Diagnostics panel. This process must run to completion before you attempt to
perform any other tasks for the sensor.
Step 1 Click Monitoring and choose Support Information > Diagnostics Report. The
Diagnostics Report panel is displayed.
Step 2 Click Generate Report. The diagnostics process begins and may continue for
several minutes. When the process is complete, a report is generated and the display
is refreshed with the updated report.
Note To save the report as a file, view the report in your browser and choose File > Save As.
Support
Information
Statistics
Refresh
Step 1 Click Monitoring and choose Support Information > Statistics. The Statistics
page is displayed.
Step 2 To update statistics as they change, click Refresh. Refresh displays the latest
information about the sensor applications.
6-62 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Viewing System Information
Monitoring
Support
Information
System
Information
Refresh
Step 1 Click Monitoring and choose Support Information > System Information.
Step 2 The System Information panel displays information about the system.
Step 3 Click Refresh. The panel refreshes and displays new information.
Cisco Security Manager is a powerful but very easy-to-use solution to centrally provision all
aspects of device configurations and security policies for Cisco firewalls, Cisco virtual private
networks (VPNs), and Cisco IPS sensors. The solution is effective for managing even small
networks consisting of fewer than 10 devices, but also scales to efficiently manage large-scale
networks composed of thousands of devices. Scalability is achieved through intelligent policy-
based management techniques that can simplify administration.
Note Cisco Security Manager Version 3.1 or later is required to install or configure Cisco IPS
Sensor Software Version 6.0.
6-64 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitoring Using SNMP
This topic describes how to use SNMP as a tool to perform sensor monitoring.
Configuration
Enable SNMP
Gets/Sets
Read-only
Community
String
You can configure the sensor for monitoring by SNMP, an application layer protocol that
facilitates the exchange of management information among network devices. SNMP enables
you to manage network performance, find and solve network problems, and plan for network
growth.
SNMP is a simple request and response protocol. An SNMP network management system
(NMS) issues a request, and managed devices return responses. This behavior is implemented
by using one of the following protocol operations: Get, GetNext, Set, and Trap. Cisco IPS
Sensor Software Version 6.0 currently implements the Get and Set SNMP operations. The Get
operation is used by the NMS to retrieve information from an Agent. The Set operation is used
by the manager to set the values of object instances within an Agent.
Complete the following steps to configure the sensor so that it can be monitored by SNMP:
Step 1 Click Configuration and choose SNMP > SNMP General Configuration. The
SNMP General Configuration panel is displayed.
Step 2 Check the Enable SNMP Gets/Sets check box to enable SNMP so that the SNMP
NMS can issue requests to the sensor SNMP agent.
Step 3 Complete the following substeps to configure the SNMP Agent Parameters, which
are the values that the NMS can request from the sensor SNMP agent.
1. Enter the read-only community string in the Read-Only Community String field.
This entry identifies the community string for read-only access.
3. Enter the sensor contact user ID in the Sensor Contact field. The sensor contact
identifies the point of contact for the sensor.
5. Enter the sensor port for its SNMP agent in the Sensor Agent Port field. This
entry identifies the sensor IP port. The default SNMP port number is 161.
6. From the Sensor Agent Protocol drop-down menu, choose the protocol that the
sensor SNMP agent will use. The Sensor Agent Protocol identifies the sensor
protocol. The default protocol is User Datagram Protocol (UDP).
Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.
Step 4 Click Apply to apply your changes and save the revised configuration.
6-66 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Module Summary
You can accomplish most of the maintenance of the Cisco Intrusion Prevention System (IPS)
sensor using the Cisco IPS Device Manager (IDM). The command-line interface (CLI), Cisco
Security Manager, and Simple Network Management Protocol (SNMP) are also tools that can
help you manage the Cisco IPS sensors.
References
For additional information, refer to these resources:
Cisco Systems, Inc., Cisco Intrusion Prevention System Command Reference 6.0.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_
book09186a00807a874d.html.
Cisco Systems, Inc., Configuring the Cisco Intrusion Prevention System Sensor Using the
Command Line Interface 6.0: Upgrading, Downgrading, and Installing System Images.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
chapter09186a00807517ba.html#wp1121140.
Cisco Systems, Inc., Configuring the Cisco Intrusion Prevention System Sensor Using the
Command Line Interface 6.0.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
book09186a0080751759.html.
6-68 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.