AIP-SSM Maintenance

This section includes information on administrative maintenance tasks on the AIP-SSM. These tasks include the following:

  • Adding trusted hosts to connect to the AIP-SSM
  • Upgrading the CIPS software and signatures via the CLI
  • Displaying software version and configuration information
  • Backing up the AIP-SSM configuration
  • Displaying and clearing events
  • Displaying and clearing AIP-SSM statistics

Adding Trusted Hosts

In order for a device to be able to connect to the AIP-SSM for management and monitoring purposes, it needs to be added to the trusted host list. You can add trusted hosts that will be able to communicate with the AIP-SSM by following these steps:

Step 1.

Enter configuration mode and invoke the service host command. You will be placed into host configuration mode.
 

 ChicagoSSM# configure terminal

 ChicagoSSM (config)# service host

 ChicagoSSM (config-hos)#
 

Step 2.

Invoke the network-settings command to start adding entries to the ACL for hosts or networks allowed to connect to the AIP-SSM:
 

 ChicagoSSM (config-hos)# network-settings

 ChicagoSSM (config-hos-net)# access-list 192.168.10.123/32

 ChicagoSSM (config-hos-net)# exit

 ChicagoSSM (config-hos)# exit

 Apply Changes:?[yes]: yes

 ChicagoSSM (config)#

In this example, a host with IP address 192.168.10.123 is added to the ACL.

Once you exit from both configuration modes, the AIP-SSM will prompt you to apply the changes to the configuration. Enter yes if the configuration parameters are correct.
 

SSH Known Host List

In order for any SSH client or any SSH server to communicate with the AIP-SSM, you must first add it into the SSH known host list. Use the ssh host-key command to add a host to the AIP-SSM SSH known host list. Example 14-10 shows how a host with IP address 192.168.10.33 is added to the Chicago SSM.

Example 14-10. Adding an Entry to the SSH Known Host List

ChicagoSSM# configure terminal

ChicagoSSM(config)# ssh host-key 192.168.10.33

Would you like to add this to the known hosts table for this

host?[yes] yes

The AIP-SSM asks the administrator to confirm the addition of the SSH host entry. Type yes or press Enter to confirm.

TLS Known Host List

The CIPS software allows you to restrict what systems are able to establish a TLS/SSL session to the AIP-SSM. To add a TLS trusted host to the AIP-SSM, use the tls trusted-host command. Example 14-11 demonstrates how to add a TLS host configured with IP address 192.168.10.34. The AIP-SSM does an SSL/TLS exchange with the specified host to obtain its SSL/TLS certificate.

Example 14-11. Adding a TLS Known Host

ChicagoSSM# configure terminal

ChicagoSSM(config)# tls trusted-host ip-address 192.168.10.34

 

Upgrading the CIPS Software and Signatures via the CLI

You can apply the CIPS software service packs and signature updates by using the CLI. The following protocols are supported:

  • File Transfer Protocol (FTP)
  • Hypertext Transfer Protocol (HTTP)
  • Hypertext Transfer Protocol Secure (HTTPS)
  • Secure Copy Protocol (SCP)

Note

If HTTPS/SSL is used, a trusted TLS host entry must be added for the server from which you will retrieve the service pack or signature update file.

You can perform one-time upgrades or schedule recurring automatic upgrades.

One-Time Upgrades

The upgrade command is used to apply service packs and signature updates to the AIP-SSM. The following is the command syntax:

 upgrade source-url

The source-url is the location where the AIP-SSM retrieves the upgrade file.

The following is the URL syntax if FTP is used:

ftp:[[//username:password@]location]/relativeDirectory/filename

or

ftp:[[//username@]location]//absoluteDirectory/filename

The syntax for HTTP is

http:[[//username@]location]/directory]/filename

The syntax for HTTPS is

https:[[//username@]location]/directory]/filename

The syntax for SCP is

scp:[[//username@]location]/relativeDirectory]/filename

or

scp:[[//username@]location]/absoluteDirectory]/filename

Tip

If you just enter the upgrade command followed by a protocol prefix (ftp:, http:, https:, or scp:), the CLI prompts you for all the required information.

In Example 14-12, a signature update is retrieved from the HTTP server that was previously entered into the TLS trusted list (192.168.10.34). A user called httpsuser is being used for authentication purposes. After invoking the command, the AIP-SSM prompts you to enter the password for the HTTPS server user.

Example 14-12. Applying Signature Updates

ChicagoSSM# configure terminal

ChicagoSSM(config)# upgrade https://httpsuser@192.168.10.34/upgrade/sigupdate.pkg

Enter password: *****

Re-enter password: *****

 

Scheduled Upgrades

As a best practice, you may want to configure automatic service pack upgrades or signature updates. This eases administration and provides a mechanism to make sure that your AIP-SSM is running updated signatures.

Note

Cisco offers a service where customers can subscribe to obtain IPS signatures shortly after security threats and vulnerabilities are announced. For more information, visit http://www.cisco.com/go/ipsalert/.

In the example illustrated in Figure 14-5, the goal is to configure the AIP-SSM module in the Chicago ASA appliance to automatically retrieve signature updates every Monday, Wednesday, and Friday at 1:00 a.m.

Figure 14-5. Scheduled Upgrades

The following steps are completed on each device to achieve this goal:

Step 1.

The IPS signature update from Cisco.com is downloaded and saved on the management server. To enable automatic upgrades and configure auto-upgrade settings go into service host configuration mode and enable the auto-upgrade option as follows:
 

 ChicagoSSM(config)# service host

 ChicagoSSM(config-hos)# auto-upgrade-option enabled
 

Step 2.

Specify the IP address of the server from which the AIP-SSM will retrieve the update file. In this case, the server is 192.168.1.188:
 

 ChicagoSSM(config-hos-ena)# ip-address 192.168.10.188
 

Step 3.

Specify the file copy protocol used to download files from the server. SCP is used in this example:
 

 ChicagoSSM(config-hos-ena)# file-copy-protocol scp
 

Step 4.

Define the username for authentication on the 192.168.10.188 server. The user in this example is called scpuser:
 

 ChicagoSSM(config-hos-ena)# user-name scpuser
 

Step 5.

Enter the user password for authentication on the 192.168.10.188 server with the password command. The AIP-SSM prompts you to enter and confirm the password:
 

 ChicagoSSM(config-hos-ena)# password

 Enter password[]: *****

 Re-enter password: *****
 

Step 6.

Specify the directory where upgrade files are located on the server. A leading forward slash (/) indicates an absolute path. The directory in this example is called updates and the update file is called sigupdatefile.pkg:
 

 ChicagoSSM(config-hos-ena)# directory/updates/ sigupdatefile.pkg
 

Step 7.

You can configure two types of scheduled updates:
 

- Calendar based Specify what days and times of the week the AIP-SSM will attempt the updates.
 

- Periodic Configure the time that the first automatic upgrade should occur, and how long the AIP-SSM will wait between automatic upgrades.
 

In this example, the AIP-SSM will automatically retrieve signature updates every Monday, Wednesday, and Friday at 1:00 a.m.:
 
 ChicagoSSM(config-hos-ena)# schedule-option calendar-schedule

 ChicagoSSM (config-hos-ena-cal)# times-of-day 01:00:00

 ChicagoSSM (config-hos-ena-cal)# days-of-week Monday

 ChicagoSSM (config-hos-ena-cal)# days-of-week Wednesday

 ChicagoSSM (config-hos-ena-cal)# days-of-week Friday

 ChicagoSSM (config-hos-ena-cal)# exit
 

Step 8.

Use the show settings command to view and confirm all the settings entered:
 

 ChicagoSSM(config-hos-ena)# show settings

 enabled

 -----------------------------------------------

 schedule-option

 -----------------------------------------------

 calendar-schedule

 -----------------------------------------------

 times-of-day (min: 1, max: 24, current: 1)

 -----------------------------------------------

 time: 01:00:00

 -----------------------------------------------

 -----------------------------------------------

 days-of-week (min: 1, max: 7, current: 3)

 -----------------------------------------------

 day: monday

 -----------------------------------------------

 day: wednesday

 -----------------------------------------------

 day: friday

 -----------------------------------------------

 -----------------------------------------------

 -----------------------------------------------

 -----------------------------------------------

 ip-address: 192.168.10.188

 directory:/updates/sigupdatefile.pkg

 user-name: scpuser

 password: 

 file-copy-protocol: scp default: scp

 -----------------------------------------------
 

Step 9.

Exit configuration mode. You will be asked to apply the changes. Enter yes if the information is correct.
 

 ChicagoSSM(config-hos-ena)# exit

 ChicagoSSM(config-hos)# exit

 Apply Changes:?[yes]: yes
 

Displaying Software Version and Configuration Information

You can use the show version command to display the version of the CIPS software, signature packages, and IPS processes running on the AIP-SSM. Example 14-13 shows the output of the show version command at the ChicagoSSM.

Example 14-13. Output of AIP-SSM show version Command

ChicagoSSM# show version

Application Partition:

Cisco Intrusion Prevention System, Version 5.0(1)S149.0

OS Version 2.4.26-IDS-smp-bigphys

Platform: ASA-SSM-20

Serial Number: 1234567890

Trial license, expires: 21-Feb-2005 UTC

Sensor up-time is 12 days.

Using 501858304 out of 1984704512 bytes of available memory (25% usage)

system is using 17.3M out of 29.0M bytes of available disk space (59% usage)

application-data is using 49.1M out of 166.6M bytes of available disk space (31%

usage)

boot is using 34.9M out of 68.5M bytes of available disk space (54% usage)

MainApp 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running

AnalysisEngine 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running

CLI 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600

Upgrade History:

 IDS-K9-maj-5.0.1.S141.pkg 11:00:00 UTC Sat Dec 18 2004

Recovery Partition Version 1.1 - 5.0(1)S149.0

The first shaded line in Example 14-13 shows the CIPS software version running on the AIP-SSM. The second shaded line shows that the AIP-SSM has been up for 12 days. The third shaded line shows information about previous upgrades and updates to this AIP-SSM. Other information such as disk and memory utilization is also displayed.

You can use the show configuration command to display the current configuration on the AIP-SSM, as shown in Example 14-14.

Example 14-14. Output of AIP-SSM show configuration Command

ChicagoSSM# show configuration

! ------------------------------

! Version 5.0(1)

! Current configuration last modified Tue Feb 08 15:54:43 2005

! ------------------------------

service analysis-engine

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 172.23.62.92/24,172.23.62.1

host-name ChicagoSSM

telnet-option enabled

access-list 192.168.10.123/32

exit

time-zone-settings

offset -420

standard-time-zone-name GMT-07:00

exit

summertime-option recurring

summertime-zone-name PDT

exit

auto-upgrade-option enabled

schedule-option calendar-schedule

times-of-day 01:00:00

days-of-week monday

days-of-week wednesday

days-of-week friday

exit

ip-address 192.168.10.188

directory/updates/sigupdatefile.pkg

user-name scpuser

password cisco

file-copy-protocol scp

exit

exit

! ------------------------------

service interface

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

general

never-block-hosts 10.0.0.1

exit

user-profiles a

exit

exit

! ------------------------------

service notification

snmp-agent-port 165

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

exit

 

Backing Up Your Configuration

It is recommended that you back up your configuration on a regular basis. You can back up your configuration to the local Flash on the AIP-SSM or to a remote server.

Use the copy current-config backup-config command to make a backup of the current configuration to a file (called backup-config) locally stored on the AIP-SSM. You can merge the backup configuration file with the current configuration file or overwrite the current configuration file with the backup configuration file. In Example 14-15, the AIP-SSM merges the backup configuration into the current configuration.

Example 14-15. Merging the Backup Configuration

ChicagoSSM# copy backup-config current-config

In Example 14-16, the AIP-SSM overwrites the backup configuration file into the current configuration file.

Example 14-16. Overwriting the Backup Configuration into Current AIP-SSM Configuration

ChicagoSSM# copy /erase backup-config current-config

As a best practice, you should back up your configuration file to an external server. In the example illustrated in Figure 14-6, SecureMe's Chicago AIP-SSM copies a backup of its configuration file to FTP server 192.168.10.159.

Figure 14-6. Configuration Backup

Example 14-17 shows the command entered on the AIP-SSM.

Example 14-17. Backing Up the Configuration to an FTP Server

ChicagoSSM# copy current-config ftp://192.168.10.159

User: ftpuser

File name: ChicagoSSM_Config

Password: ********

The configuration is successfully copied to a file named ChicagoSSM_Config on the FTP server 192.168.10.159. The AIP-SSM prompts the administrator to enter the FTP user, file name, and password.

Displaying and Clearing Events

The show events command enables you to view the events stored in the AIP-SSM's local event log. After invoking this command, all the events are displayed as a live feed (to exit, press Ctrl-C). Example 14-18 lists all the available options for the show events command.

Example 14-18. show events Command Options

ChicagoSSM# show events ?



alert Display local system alerts.

error Display error events.

hh:mm[:ss] Display start time.

log Display log events.

nac Display NAC shun events.

past Display events starting in the past specified time.

status Display status events.

| Output modifiers.

In Example 14-19, the AIP-SSM displays past events since 8:00 a.m.

Example 14-19. Displaying Past Events

ChicagoSSM# show events past 08:00:00

evStatus: eventId=1104988000052754141 vendor=Cisco

 originator:

 hostId: ChicagoSSM

 appName: cidwebserver

 appInstanceId: 276

 time: 2005/02/09 18:54:56 2005/02/09 11:54:56 GMT-09:00

 controlTransaction: command=getEventServerStatistics successful=true

 description: Control transaction response.

 requestor:

 user: cisco

 application:

 hostId: 127.0.1.1

 appName: -cidcli

 appInstanceId: 13200

evStatus: eventId=1104988000052754142 vendor=Cisco

 originator:

 hostId: ChicagoSSM

 appName: mainApp

 appInstanceId: 276

 time: 2005/02/09 18:55:06 2005/02/09 11:55:06 GMT-07:00

 controlTransaction: command=getEventStoreStatistics successful=true

 description: Control transaction response.

 requestor:

 user: cisco

 application:

 hostId: 127.0.1.1

 appName: -cidcli

 appInstanceId: 13200

You can clear events stored locally in the AIP-SSM by using the clear events command, as demonstrated in Example 14-20.

Example 14-20. Clearing Events

ChicagoSSM# clear events

Warning: Executing this command will remove all events currently stored in the event

store.

Continue with clear? []: yes

The AIP-SSM displays a warning message asking you to confirm the removal of all the events stored on the system, because they will be lost if they have not been retrieved by a management or monitoring device.

Displaying and Clearing Statistics

The CLI enables you to collect statistics about different CIPS services, components, and applications. The show statistics command is used to display such information. Example 14-21 shows the show statistics command options.

Example 14-21. show statistics Command Options

ChicagoSSM# show statistics ?

analysis-engine Display analysis engine statistics.

authentication Display authentication statistics.

denied-attackers Display denied attacker statistics.

event-server Display event server statistics.

event-store Display event store statistics.

host Display host statistics.

logger Display logger statistics.

network-access Display network access controller statistics.

notification Display notification statistics.

sdee-server Display SDEE server statistics.

transaction-server Display transaction server statistics.

transaction-source Display transaction source statistics.

virtual-sensor Display virtual sensor statistics.

web-server Display web werver statistics.

The show statistics analysis-engine command displays traffic statistics and health information about the AIP-SSM analysis engine. Example 14-22 includes the output of this command.

Example 14-22. show statistics analysis-engine Command Output

ChicagoSSM# show statistics analysis-engine

Analysis Engine Statistics

 Number of seconds since service started = 1665921

 Measure of the level of current resource utilization = 0

 Measure of the level of maximum resource utilization = 0

 The rate of TCP connections tracked per second = 0

 The rate of packets per second = 0

 The rate of bytes per second = 0

 Receiver Statistics

 Total number of packets processed since reset = 0

 Total number of IP packets processed since reset = 0

 Transmitter Statistics

 Total number of packets transmitted = 0

 Total number of packets denied = 0

 Total number of packets reset = 0

 Fragment Reassembly Unit Statistics

 Number of fragments currently in FRU = 0

 Number of datagrams currently in FRU = 0

 TCP Stream Reassembly Unit Statistics

 TCP streams currently in the embryonic state = 0

 TCP streams currently in the established state = 0

 TCP streams currently in the closing state = 0

 TCP streams currently in the system = 0

 TCP Packets currently queued for reassembly = 0

 The Signature Database Statistics.

 Total nodes active = 0

 TCP nodes keyed on both IP addresses and both ports = 0

 UDP nodes keyed on both IP addresses and both ports = 0

 IP nodes keyed on both IP addresses = 0

 Statistics for Signature Events

 Number of SigEvents since reset = 0

 Statistics for Actions executed on a SigEvent

 Number of Alerts written to the IdsEventStore = 0

You can use the show statistics authentication command to display statistics on failed and total authentication attempts to the AIP-SSM module. Example 14-23 shows the output of this command.

Example 14-23. show statistics authentication Command Output

ChicagoSSM# show statistics authentication

General

 totalAuthenticationAttempts = 144

 failedAuthenticationAttempts = 9

In Example 14-23, there were 9 failed authentication attempts out of 144 total attempts.

Example 14-24 includes the output of the show statistics event-server command. This command is used to only display the number of open and blocked connections o the AIP-SSM from event management stations.

Example 14-24. show statistics event-server Command Output

ChicagoSSM# show statistics event-server

General

 openSubscriptions = 10

 blockedSubscriptions = 0

Subscriptions

The show statistics event-store command gives you more useful information. It displays detailed information about the event store. Example 14-25 includes the output of this command.

Example 14-25. show statistics event-store Command Output

ChicagoSSM# show statistics event-store

Event store statistics

 General information about the event store

 The current number of open subscriptions = 10

 The number of events lost by subscriptions and queries = 0

 The number of queries issued = 0

 The number of times the event store circular buffer has wrapped = 0

 Number of events of each type currently stored

 Debug events = 0

 Status events = 59

 Log transaction events = 0

 Shun request events = 0

 Error events, warning = 1

 Error events, error = 8

 Error events, fatal = 0

 Alert events, informational = 2

 Alert events, low = 0

 Alert events, medium = 0

 Alert events, high = 0

Another command that is very useful for troubleshooting is the show statistics host command. It includes network and link statistics, health of the AIP-SSM module (i.e., CPU and memory utilization), and other administrative items such as NTP and auto-update statistics. Example 14-26 includes the output of this command.

Example 14-26. show statistics host Command Output

ChicagoSSM# show statistics host

General Statistics

 Last Change To Host Config (UTC) = 03:00:39 Tue Feb 15 2005

 Command Control Port Device = GigabitEthernet0/0

Network Statistics

 ge0_0 Link encap:Ethernet HWaddr 00:0B:FC:F8:01:2C

 inet addr:172.23.62.92 Bcast:172.23.62.255 Mask:255.255.255.0

 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 RX packets:3758776 errors:0 dropped:0 overruns:0 frame:0

 TX packets:272436 errors:0 dropped:0 overruns:0 carrier:0

 collisions:0 txqueuelen:1000

 RX bytes:471408183 (449.5 MiB) TX bytes:183240697 (174.7 MiB)

 Base address:0xbc00 Memory:f8200000-f8220000

NTP Statistics

 status = Not applicable

Memory Usage

 usedBytes = 500649984

 freeBytes = 1484054528

 totalBytes = 1984704512

Swap Usage

 Used Bytes = 0

 Free Bytes = 0

 Total Bytes = 0

Summertime Statistics

 start = 03:00:00 PDT Sun Apr 03 2005

 end = 01:00:00 GMT-08:00 Sun Oct 30 2005

CPU Statistics

 Usage over last 5 seconds = 0

 Usage over last minute = 0

 Usage over last 5 minutes = 0

Memory Statistics

 Memory usage (bytes) = 500559872

 Memory free (bytes) = 1484144640

Auto Update Statistics

 lastDirectoryReadAttempt = 01:03:09 GMT-08:00 Mon Feb 14 2005

 Read directory: scp://scpuser@192.168.10.188//updates/sigupdatefile.pkg/

 Error: Failed attempt to get directory listing from remote auto update server:

 ssh: connect to host 192.168.10.188 port 22: Connection timed out

 lastDownloadAttempt = N/A

 lastInstallAttempt = N/A

 nextAttempt = 01:00:00 GMT-08:00 Wed Feb 16 2005

In the shaded lines in Example 14-26, you can see that the AIP-SSM attempted to connect to the server with IP address 192.168.10.188 over SSH (TCP port 22) without success. The connection timed out because of network connectivity problems.

To display IP logger statistics, use the show statistics logger command. The output of this command is included in Example 14-27.

Example 14-27. show statistics logger Command Output

ChicagoSSM# show statistics logger

The number of Log interprocessor FIFO overruns = 0

The number of syslog messages received = 331

The number of  events written to the event store by severity

 Fatal Severity = 0

 Error Severity = 78

 Warning Severity = 358

 TOTAL = 436

The number of log messages written to the message log by severity

 Fatal Severity = 0

 Error Severity = 78

 Warning Severity = 27

 Timing Severity = 0

 Debug Severity = 0

 Unknown Severity = 62

 TOTAL = 167

IP logging is covered in detail in the following section.





Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net