Foundation and Supplemental Topics


Sensor Installation

When installing your appliance sensor, the necessary steps vary depending on whether you are upgrading an appliance from a version 4.1 or configuring a brand new appliance. When configuring a brand new appliance, you need to initialize the sensor. If you are upgrading, however, your sensor has already been initialized. Therefore, you need to upgrade only the sensor software to Cisco IPS version 5.0. The two methods for upgrading the sensor software from version 4.1 to 5.0 are as follows:

  • Installing 5.0 software via the network

  • Installing 5.0 software from a CD

Note

Installing a second hard-disk drive in a 4235 or 4250 sensor may render the sensor unable to recognize the recover command used for re-imaging the appliance. Spare hard-disk drives are meant to be replacements for the original hard-disk drives, not to be used along with the original hard-disk drive.


Installing 5.0 Software via the Network

Some appliance sensors have no CD-ROM drive. On these systems, you can't upgrade the software by using a CD. Instead, you must perform software upgrade across the network. These systems also require you to connect to the sensor via the serial port to access the sensor CLI since they have no keyboard or mouse ports.

The following appliance sensors are diskless and do not have CD-ROM drives:

  • IDS 4215

  • IDS 4240

  • IDS 4255

To upgrade a diskless appliance sensor, you use the upgrade command (from the sensor's CLI) to install the 5.0 software. The syntax for the upgrade command is as follows:

upgrade source-url 

You can retrieve the new software image through Secure Copy (SCP), FTP, HTTP, or Secure Hypertext Transfer Protocol (HTTPS). When specifying the source-url you can specify either the complete location or simply scp:, ftp:, http:, or https:, in which you will be prompted for the necessary fields. The prompts you see when using SCP are displayed in Example 2-1.

Example 2-1. Prompts When Using SCP
Sensor(config)# upgrade scp: User: IDSuser Server's IP Address: 10.89.139.100 Port[22]: File Name: IDS50/IPS-K9-maj-5.0-0.15b-S91-0.15-.rpm.pkg Password: ******** Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade. Continue with upgrade? : yes 

Note

To use SCP to upgrade the sensor software, you must first add the Secure Shell (SSH) server public key (for the host where the new software is located) to the list of sensor's authorized SSH hosts. Do this by using the ssh host-key global configuration command (see the "Adding a Known SSH Host" section later in the chapter).


Installing 5.0 Software from a CD

On sensors that have a CD-ROM drive, you can install the 5.0 software by using the recovery CD, instead of installing through the network.

Note

Installing the 5.0 software via the recovery CD is not an upgrade of the existing 4.1 software. Therefore, the installation will remove your existing software (including all of your configuration information). You should save your configuration before performing the installation.


After powering on the appliance, insert the Cisco IDS 5.0(1) Upgrade/Recovery CD into the CD-ROM drive located in the front of the appliance. Example 2-2 displays the boot menu text that explains the two options you can use to install the 5.0 software.

Example 2-2. Boot Menu
                         Cisco IPS 5.0(1) Upgrade/Recovery CD! - To recover the Cisco IPS 5.0(1) Application using a local keyboard/monitor,    Type: k <ENTER>.    (WARNING: ALL DATA ON DISK 1 WILL BE LOST) - To recover the Cisco IPS 5.0(1) Application using a serial connection,    Type: s <ENTER>, or just press <ENTER>.    (WARNING: ALL DATA ON DISK 1 WILL BE LOST) boot: 

Note

If you do not insert the CD into the drive quickly enough, the system may boot the normal image on the disk. If the system does not boot from the CD, then just leave the CD in the drive and reboot the system.


You can install either from a keyboard connected to the appliance or through a serial connection (via the console port). Your two options are as follows:

  • s (for console port connection)

  • k (for attached PS/2 keyboard)

After the installation is complete, you can continue with the sensor configuration. At this point, the sensor needs to be initialized just like a brand new appliance sensor.

Sensor Initialization

When you install a brand new appliance, you need to perform the following initial configuration tasks:

  • Access the CLI

  • Run the setup command

  • Configure trusted hosts

  • Create the Service account

  • Manually set the system clock

Some other tasks you also may need to perform during initialization include the following:

  • Change your password

  • Add and remove users

  • Add known SSH hosts

Accessing the CLI

To begin sensor initialization, access the CLI by using either an attached keyboard or a serial connection to the console port. The default account is cisco, with a password of cisco. You will be immediately prompted to change this default password. Your new password must have the following properties:

  • Be at least six characters long

  • Contain at least 5 different characters

Note

Selecting strong passwords helps ensure that an attacker cannot easily guess the passwords by using commonly available password cracking tools. The sensor performs some basic checks to strengthen the passwords you use, but you can also take your own precautions. Keep in mind the following when selecting a password:

  • Do not use only letters or only numbers.

  • Do not use recognizable words.

  • Do not use foreign words.

  • Do not use personal information.

  • Do not write down your password.

Improve your password selection by observing the following practices:

  • Make the password at least eight characters long.

  • Mix uppercase and lowercase letters.

  • Mix letters and numbers.

  • Include special characters, such as & and $.

  • Pick a password that you can remember.


Besides accessing the CLI from the serial port (or directly attached keyboard and monitor), you can also connect to the CLI by using either Telnet or SSH. By default, the access lists on the sensor allow access only from systems on the class C subnet 10.1.9.0 (with the sensor being 10.1.9.201 and a default gateway being 10.1.9.1). To enable CLI access to the sensor from other systems, you will need to update the sensor's access control lists (through the service host > network settings sensor global configuration command). By default, access to the sensor through Telnet (TCP port 23) is disabled. SSH access (TCP port 22), however, is enabled.

Running the setup Command

Once you access the CLI by using the default account, you will see the Sensor# prompt. To configure the basic sensor parameters, run the setup command. This command enables you to configure the following sensor parameters:

  • Host name

  • IP address

  • Netmask

  • Default gateway

  • Access list entries

  • Telnet server status (default is disabled)

  • Web server port (default 443)

  • Time settings

  • Promiscuous interfaces

  • Inline interface pairs

When using the setup command, you will see output similar to that in Example 2-3.

Example 2-3. setup Command Output
Sensor# setup     --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name Sensor telnet-option disabled access-list 10.1.9.0/24 ftp-timeout 300 login-banner-text exit time-zone-settings offset -360 standard-time-zone-name GMT-06:00 exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface physical-interfaces GigabitEthernet0/3 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/2 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/1 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/0 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit exit service analysis-engine virtual-sensor vs0 description default virtual sensor exit exit Current time: Mon Jan 31 09:54:44 2005 Setup Configuration last modified: Sun Jan 30 00:16:47 2005 Continue with configuration dialog?[yes]: Enter host name[Sensor]: IDS4240 Enter IP interface[10.1.9.201/24,10.1.9.1]:10.40.10.100/24,10.40.10.1 Enter telnet-server status[disabled]: Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries:   [1] 10.1.9.0/24 Delete: Permit: 10.40.0.0/16 Permit: Modify system clock settings?[no]: Modify virtual sensor "vs0" configuration?[no]: yes Current interface configuration   Command control: Management0/0   Unused:     GigabitEthernet0/3     GigabitEthernet0/2     GigabitEthernet0/0     GigabitEthernet0/1   Promiscuous:   Inline:     None Delete Promiscuous interfaces?[no]: Add Promiscuous interfaces?[no]: Add Inline pairs?[no]: yes Pair name: perimeter Description[Created via setup by user cisco]: Perimeter protection sensor Interface1[]: GigabiEthernet0/3 Interface2[]: GigabiEthernet0/2 Pair name: The following configuration was entered. service host network-settings host-ip 10.40.10.100/24,10.40.10.1 host-name Ids4240 telnet-option disabled access-list 10.9.1.0/24 access-list 10.40.10.0/16 ftp-timeout 300 no login-banner-text exit time-zone-settings offset -360 standard-time-zone-name GMT-06:00 exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface physical-interfaces GigabitEthernet0/3 no description admin-state enabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/2 no description admin-state enabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/1 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/0 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit inline-interfaces perimeter description Perimeter protection sensor interface1 GigabitEthernet0/3 interface2 GigabitEthernet0/2 exit exit service analysis-engine virtual-sensor vs0 description default virtual sensor logical-interface perimeter exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Enter your selection[2]: 

Note

You manage your sensor through the command and control interface. To allow your management systems to access the sensor, you must configure the appropriate network access list entries for appropriate management of IP addresses. In conjunction with using the setup command, these access list entries can be modified at any time by using the service host > network-settings CLI command.


After entering the information for the setup command, you receive the prompt shown at the end of Example 2-3.

Enter 2 (or just press Enter) to save the configuration. After the configuration is saved, you will see the following prompt to change the system time (unless you configured the sensor to use a Network Time Protocol server):

*06:33:33 UTC Thu Nov 18 2004 Modify system date and time?[no]: 

If the time is incorrect, enter yes to change it. You may also be prompted to reboot the sensor with the following prompt:

Continue with reboot? [yes]: 

Enter no to this prompt because you still need to configure a few more parameters. You can reboot the sensor later to make all of the changes take effect at the same time.

Note

To reboot the sensor later, you can use the reset command from the Privileged Exec mode.


Creating the Service Account

You should create a Service account for the Cisco Technical Assistance Center (TAC) to use when troubleshooting problems with your IPS appliance. Unlike other user roles in which the same role can be assigned to multiple user accounts, you can assign the Service role to only one account on your IPS appliance.

To create a Service account, to perform the following steps in an Administrator account:

Step 1.

Log in to CLI on the appliance.

Step 2.

Enter Global Configuration mode by using the following command:

sensor# configure terminal 

Step 3.

Create the Service account (named serv_acct) by using the following username command:

sensor(config)# username serv_acct privilege service 

Step 4.

Enter a password for the Service account when prompted.

Step 5.

Exit the Global Configuration mode by using the following command:

sensor(config)# exit 

When you log in to the IPS appliance by using the Service account, you will receive the warning in Example 2-4.

Example 2-4. Warning When You Use the Service Account to Log in to the IDS Appliance
************************ WARNING ************************ UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. ********************************************************* 

This serves as a reminder that the Service account is designed solely for troubleshooting your sensor's operation and for other support purposes. Adding or enabling additional services or applications will make the IPS appliance configuration unsupported.

Manually Setting the System Clock

Many network environments use automatic clock functionality, such as Network Time Protocol (NTP). These configurations automatically adjust the time on your devices based on a known time source. If you do not have such a mechanism, you may need to manually set the time on your IPS appliance.

Note

The IDS module obtains its time configuration from the Catalyst 6500 switch in which it is housed, so you should not need to set the time by using the clock set command.


Besides running setup, you can also manually set the time on your IPS sensor by using the clock set Privileged Exec command. The syntax for this command is as follows:

clock set hh:mm[:ss] month day year 

The parameters for the clock set command are described in Table 2-2.

Table 2-2. clock set Parameters

Parameter

Description

hh:mm[:ss]

Current time in 24-hour format. Seconds are optional.

day

Numeric value indicating the current day of the month (such as 1 31).

month

Name of the current month (without any abbreviation), such as January or March.

year

The current four-digit year value (such as 2005).


Suppose that you want to set the current time on your IPS appliance to one o'clock in the afternoon on January 1, 2005. To accomplish this, you would use the following command after logging in to your appliance:

sensor# clock set 13:00 January 1 2005 sensor# 

Changing your Password

All users on your IPS appliance can change their password. You can change your password through the CLI by using the password Global Configuration mode command.

Note

You can also change your account password through graphical management applications (such as IPS Device Manager).


The password command requires no parameters. To change your password, enter your old password and then enter your new password twice (to verify that you entered it correctly, since it is not displayed on the screen).

Note

Since the Service account bypasses the sensor CLI, you can change its password either by using an account with administrative privileges or by using the passwd command at the bash shell prompt.


Adding and Removing Users

In the Global Configuration mode, you can add new users to and remove existing users from your sensor. The username Global Configuration mode command enables you to add new users. To remove an existing user, simply insert the keyword no in front of the regular username command. The syntax for the username command is as follows:

username name [password password] [privilege administrator|operator|viewer|service] 

The sequence of commands in Example 2-5 illustrates the process of adding to your sensor the user newuser with a privilege level of Operator.

Example 2-5. Adding to Your Sensor the User newuser with a Privilege Level of Operator
sensor# configure terminal sensor(config)# username newuser privilege operator Enter new login password: ****** Re-enter new login password: ****** sensor(config)# exit sensor# 

Note

From the Privileged Exec mode, you can confirm your user configuration changes by running the show users all command.


You will want to add accounts to support your network environment. At minimum, you need to create an account with Viewer privileges; you will need this to enable your monitoring application to access the sensor and retrieve alarm information.

Note

You can also add and remove accounts through the graphical management applications (such as IPS Device Manager).


Adding a Known SSH Host

Your sensor maintains a list of validated SSH known hosts so that the sensor can verify the identity of the servers with which it communicates when it is operating as an SSH client. Adding an entry to the known SSH hosts list also enables you to do the following:

  • Automatically or manually upgrade the sensor by using SCP

  • Copy current configurations, backup configurations, and IP logs via SCP

The syntax for the ssh host-key command is as follows:

ssh host-key ip-address [key-modulus-length] [public-exponent] [public-modulus] 

The parameters for the ssh host-key command are described in Table 2-3.

Table 2-3. ssh host-key Parameters

Parameter

Description

ip-address

IP address of the SSH server

key-modulus-length

(optional) American Standard Code for Information Interchange (ASCII) decimal integer in the range 511 2048

public-exponent

(optional) ASCII decimal integer in the range 3 232

public-modulus

(optional) ASCII decimal integer, x, such that (2key-modulus-length) < x < (2key-modulus-length + 1)


Note

You will normally specify an IP address only for the ssh host-key global configuration command. The sensor will contact the server and retrieve the other information. These keys are also used for SSH servers that the sensor needs to connect to. You do not have to define keys for the clients that connect to the sensor itself. You can also view the currently configured SSH host keys by using the show ssh host-keys command.


The command sequence in Example 2-6 adds the SSH host key for 10.89.132.78 to the list of known SSH host keys.

Example 2-6. Adding the SSH Host Key for 10.89.132.78 to the List of Known SSH Host Keys
sensor(config)# configure terminal sensor(config)# ssh host-key 10.89.132.78 MD5 fingerprint is BE:70:50:15:2C:13:97:5C:72:53:06:9C:DC:4D:A3:20 Bubble Babble is xepof-tudek-vycal-cynud-tolok-holek-zygaf-kuzak-syfot-tubec-paxox Would you like to add this to the known hosts table for this host?[yes]: yes sensor(config)# exit> sensor# 

Note

To increase security when adding a new SSH host key, you should manually verify the key value presented before you add the new SSH host-key entry. Not verifying the key can allow someone to impersonate the real server.


IPS CLI

Beginning with Cisco IDS version 4.0, the IDS appliance has an IOS-like CLI that you can use to configure your sensor. When initially configuring your IPS appliance, you will use the CLI to perform many of the configuration steps.

Note

Although you can change most of the appliance's properties via the CLI, you will probably use the graphical user interfaces provided by IDS Device Manager and IDS Security Monitor to make most of the configuration changes to your appliance.


Using the Sensor CLI

You can configure essentially every property of your appliance through the CLI. Understanding the following CLI characteristics enables you to use the CLI more effectively:

  • Prompts

  • Help

  • Tab completion

  • Command recall

  • Command case sensitivity

  • Keywords

Each of these characteristics is described in the following sections.

Prompts

Prompts displayed by the CLI are not user changeable, but they do indicate the area of the CLI that you are currently operating in. For instance, the Global Configuration mode is indicated by the following prompt (with a sensor name of "Sensor"):

Sensor(config)# 

For certain CLI commands, the system requires user input. When this happens, a prompt displays an option enclosed in square brackets (such as "[yes]"). To accept this default value, all you need to do is press Enter. Or you can override the default value by typing in another value.

Sometimes the information displayed in CLI exceeds the number of lines available on the screen. When this occurs, the appliance presents you with the more interactive prompt (indicating that more information is available). To display more of the information, you have the following two options:

  • Display the next screen by press the space key.

  • Display the next line by pressing Enter.

Sometimes you may want to abandon the current command line and start over with a blank one. You can abort the current command line by pressing either the Ctrl-C or Ctrl-Q keys.

To return to a previous command level, use the exit command.

Help

To get help on a command, use the ? character. You can use the ? character to obtain help in the following situations:

  • After a complete command

  • In the middle of a command

When using the help character after a complete command, you enter the command, then a space, and then the help character (?), as in Example 2-7.

Example 2-7. Using the Help Character After a Complete Command
Sensor# show ? clock             Display system clock. configuration     Display the current system configuration. events            Display local event log contents. history           Display commands entered in current menu. interfaces        Display statistics and information about system interfaces. inventory         Display PEP information. privilege         Display current user access role. ssh               Display Secure Shell information. statistics        Display application statistics. tech-support      Generate report of current system status. tls               Display tls certificate information. users             Show all users currently logged into the system. version           Display product version information. Sensor# 

Help will display all of the keywords or options that can be used with the partial command that you have already entered.

You can also enter an incomplete command or option and use the help character to display all of the commands or options that begin with the specified sequence of characters, as in Example 2-8.

Example 2-8. Using the Help Character with an Incomplete Command
Sensor(config)# service a? alarm-channel-configuration authentication analysis-engine Sensor(config)# service a 

Tab Completion

Sometimes you may be unsure of the complete command to enter. After you type the beginning of a command, you can press the Tab key to have the system complete the command for you. If multiple commands match the command segment you typed, the system can't fill in the command; instead, it displays the commands that match your partial entry and then redisplays your partial command, as in Example 2-9.

Example 2-9. Using the Tab Key
IDS4240(config)# service a<tab> alarm-channel-configuration authentication analysis-engine IDS4240(config)# service a 

Command Recall

To cycle through the commands you have entered during your CLI session, use the up and down arrow keys on your keyboard. When you reach the end of the list, you will see a blank prompt.

Note

Instead of the arrows keys, you can press Ctrl-P for the up arrow and Ctrl-N for the down arrow.


Command Case Sensitivity

The CLI is case insensitive. For example, Configure and CONFigure represent the same command. When the system echoes the commands that you enter, however, it reproduces the commands in the case you typed. Suppose that you type the following at the command line:

Sensor# CONF 

Now if you press the Tab key to invoke command completion, the system displays the following:

Sensor# CONFigure 

Keywords

When using the CLI, you will enter various commands to change the configuration of your appliance. You can also use the following two keywords when entering commands via CLI:

  • no

  • default

If you want to reverse the effect of a command, you simply precede the command with the no keyword. For example, the access-list command allows management access from a specific host or network; using the no access-list command removes the previously granted access.

Some commands (such as those associated with signature tuning) have a default value. To return a command to its default value, use the default keyword when entering the command.

For instance, when you configure the analysis-engine parameters (accessed via the service analysis-engine global configuration command) as in Example 2-10, the default command option enables you to set either the global-parameters or the virtual-sensor to its default settings.

Example 2-10. Setting Default Values
Ids4240(config-ana)# ? default               Set the value back to the system default setting. exit                  Exit service configuration mode. global-parameters     Platform-wide configuration parameters. no                    Remove an entry or selection setting. show                  Display system settings and/or history information. virtual-sensor        Map of virtual sensor definitions. Ids4240(config-ana)# default ? global-parameters     Platform-wide configuration parameters. virtual-sensor        Reset virtual-sensorcontents back to default. Ids4240(config-ana)# default 

User Roles

Beginning with version 4.0, the IDS appliance incorporated multiple user roles. When you create an account, you must assign it a user role. This user role determines the privileges of the account, and consequently the operations that the user can perform. Your Cisco IPS version 5.0 appliances support the following four user roles:

  • Administrator

  • Operator

  • Viewer

  • Service

Each of these is discussed in the following sections.

Administrator

When you assign the Administrator role to an account, you enable the user of that account to perform every operation on the appliance that is available through the CLI. Some of the capabilities available to accounts with Administrator access are as follows:

  • Add users and assign passwords

  • Enable and disable interfaces

  • Assign interfaces to an interface group

  • Modify host allowed to access appliance

  • Modify sensor address configuration

  • Tune signatures

  • Assign virtual sensor configuration

  • Manage routers for IP blocking

Operator

The second-highest user role is the Operator role. Any accounts assigned the Operator role have unrestricted viewing capability to sensor information, along with the following functions:

  • Modify their own password

  • Tune signatures

  • Manage routers for IP blocking

Viewer

The lowest-privileged user role is the Viewer role. When you assign the Viewer role to an account, you enable the user to view the configuration and event data on your appliance. The only appliance information that users with this role can change is their password.

Note

Applications (such as the IDS Security Monitor) that you use to monitor your IPS appliance can operate with only Viewer-level access to the sensor. You can create an account with Viewer access by using the CLI and then configure your monitoring applications to use this account when retrieving information from your IPS appliance.


Service

The Service role enables you to create a special account that can access the native operating system (OS) command shell rather than the sensor's normal CLI interface. The purpose of this account is not to support configuration of the sensor, but instead to provide an enhanced troubleshooting capability. By default, your sensor does not have a service account. You must create a service account to enable TAC to use this account during troubleshooting.

The sensor allows you to assign the Service role to only one account on the sensor. When the Service account's password is set (or reset), the Linux root account's password is automatically synchronized to this new password. This enables the Service account user to use the su command to access root privileges on the sensor.

Note

On UNIX systems, the most privileged account is named root. This account has virtually unlimited powers on the system. Gaining root access to a system enables an attacker to totally control the system. Similarly, the Service account has virtually unlimited powers on the sensor. Therefore, you need to protect access to the Service account.


Caution

Making modifications to your sensor by using the Service account can make your sensor unsupported by the Cisco TAC. Cisco does not support adding any services or programs to your sensor, since doing so can impact the proper performance and functioning of the other IDS services. Furthermore, access to the Service account is recorded on the sensor.


CLI Command Modes

The CLI on your IPS appliance is organized into various modes. Each of these modes gives you access to a subset of the commands that are available on your IPS appliance. Numerous CLI modes such as the following are available on the IPS appliance:

  • Privileged Exec

  • Global Configuration

  • Service web-server

  • Service analysis-engine

  • Service host

  • Service network-access

  • Service signature-definition

Each of these is described in the following sections.

Privileged Exec

The Privileged Exec mode is the initial mode that you enter upon logging in to the IDS appliance. You can recognize this mode because it is composed of simply the sensor name followed by the # character, such as in the following example (assuming a sensor name of IDS4250):

IPS4250# 

Some of tasks that you can perform in the Privileged Exec mode are as follows:

  • Initialize the sensor

  • Manually set the time

  • Reboot the sensor

  • Enter Global Configuration mode

  • Terminate the current login session

  • Display system settings

Global Configuration

You need to enter the Global Configuration mode, as you do in IOS, to change the configuration parameters on your IPS appliance. You access the Global Configuration mode by entering the configure terminal command from the Privileged Exec mode. When you enter this mode, the prompt changes to the following:

IPS4250(config)# 

Some of tasks that you can perform in the Global Configuration mode are as follows:

  • Change the sensor's host name

  • Create user accounts

  • Configure SSH, Telnet, and Transport Layer Security (TLS) settings

  • Re-image the application partition

  • Upgrade and downgrade system software and images

  • Enter service configuration modes

Service

The Service mode is a generic third-level command mode. It enables you to enter the configuration mode for the following services:

  • analysis-engine

  • authentication

  • event-action-rules

  • host

  • interface

  • logger

  • network-access

  • notification

  • signature-definition

  • ssh-known-hosts

  • trusted-certificates

  • web-server

Each of these is described in the following sections.

Service Analysis-Engine

The analysis-engine mode is a third-level service mode that enables you to perform various tasks such as the following:

  • Create new virtual sensors

  • Assign signature-definitions to virtual sensors

  • Assign event-action-rules to virtual sensors

  • Assign sensing-interfaces to virtual sensors

You can recognize this mode because the prompt changes to the following:

IDS4250(config-ana)# 

Service Authentication

The authentication mode is a third-level service mode that enables you to configure the maximum failure attempts allowed before an account becomes disabled.

You can recognize this mode because the prompt changes to the following:

IPS4250(config-aut)# 

This setting applies to all accounts on the system. By default, account lockout is not enabled. You need to be careful when enabling it, since you can potentially lock out your account that has administrative access.

Service Event-Action-Rules

The event-action-rules mode is a third-level service mode that enables you to perform various event-related tasks such as the following:

  • Define target risk values

  • Define event filters

  • Configure system- and user-defined variables

You can recognize this mode because the prompt changes to the following:

IPS4240(config-rul)# 

When entering this mode, you must specify the name of the instance configuration. Currently, the only instance allowed is rules0. In the future, however, you may be able to specify multiple configuration instances. Therefore, to access the event-action-rules mode, you use the following command:

IPS4240(config)# service event-action-rules rules0 IPS4240(config-url)# 

Note

The event-action-rules configuration replaces the alarm-channel-configuration that was available in Cisco IDS version 4.0.


Service Host

The host mode is a third-level service mode that enables you to perform various host-related tasks such as the following:

  • Enter the network-settings configuration mode

  • Enter the time-zone-settings configuration mode

  • Enable use of an Network Time Protocol (NTP) server

  • Display current settings

You can recognize this mode because the prompt changes to the following:

IPS4250(config-hos)# 

The following two fourth-level configuration modes are accessible via the host mode:

  • network-settings

  • time-zone-settings

The network-settings mode enables you to configure numerous host-related items, such as the following:

  • Configure a sensor's IP address

  • Define a default gateway

  • Define access lists

  • Enable or disable the Telnet server

You can recognize the network-settings mode by the following command prompt:

IPS4250(config-hos-net)# 

The time-zone-settings mode enables you to complete time-related tasks, such as the following:

  • Configure the sensor's time zone

  • Display current time configuration

You can recognize the time-zone-settings mode by the following command prompt:

IPS4250(config-hos-tim)# 

Service Interface

The interface mode is a third-level service mode that enables you to perform the following tasks:

  • Configure physical interfaces

  • Configure inline interface pairs (for inline-capable devices)

  • Configure interface notification parameters

You can recognize the interface mode by the following command prompt:

IPS4250(config-int)# 

Service Logger

The logger mode is a third-level service mode that enables you to configure the debug levels for the sensor. You can recognize this mode because the prompt changes to the following:

IPS4250(config-log)# 

Service Network-Access

The network-access mode is a third-level service mode that enables you to perform the following tasks:

  • Configure settings for PIX firewalls controlled by the Network Access Controller (NAC) process

  • Configure settings for routers controlled by the NAC process

  • Display current NAC-related settings

You can recognize this mode because the prompt changes to the following:

IPS4250(config-net)# 

You can also enter a general fourth-level command mode that enables you to define many of the sensor's IP-blocking (shun) settings, such as the following:

  • Configure never-shun address

  • Configure the master blocking sensor

  • Enable Access Control List logging

  • Display current shun-related settings

You can recognize this fourth-level mode because the prompt changes to the following:

IPS4250(config-net-gen)# 

Service Notification

The notification mode is a third-level service mode that enables you to configure the Simple Network Management Protocol (SNMP) characteristics of the sensor, such as the following tasks:

  • Define community names

  • Define SNMP port

  • Define SNMP trap characteristics

You can recognize this fourth-level mode because the prompt changes to the following:

IPS4250(config-not)# 

Service Signature-Definition

The signature-definition mode is a third-level service mode that enables you to perform various signature-related tasks, such as the following:

  • Define fragment reassembly parameters

  • Define stream reassembly parameters

  • Modify specific signature characteristics

You can recognize this fourth-level mode because the prompt changes to the following:

IPS4250(config-sig)# 

When entering this mode, you must specify the name of the instance configuration. Currently, the only instance allowed is sig0. In the future, however, you may be able to specify multiple configuration instances. To access the signature-definition mode, use the following command:

IPS4240(config)# service signature-definition sig0 IPS4240(config-url)# 

Service SSH-Known-Hosts

The ssh-known-hosts mode is a third-level service mode that enables you to perform various SSH-related tasks, such as the following:

  • Define SSH keys for allowed hosts

  • Remove SSH-allowed hosts

You can recognize this third-level mode because the prompt changes to the following:

IPS4250(config-ssh)# 

Service Trusted-Certificates

The trusted-certificates mode is a third-level service mode that enables you to perform various TLS/SSL-related tasks, such as the following:

  • Define X.509 host certificates for allowed hosts

  • Remove X.509 host certificates

You can recognize this third-level mode because the prompt changes to the following:

IPS4250(config-tru)# 

Service Web-Server

The web-server mode is a third-level service mode that enables you to perform the following tasks:

  • Enable or disable secure Web access

  • Define the port for secure Web access

  • Define the server ID for secure Web access

You can recognize this third-level mode because the prompt changes to the following:

IPS4250(config-web)# 

Administrative Tasks

The sensor command line enables you to perform numerous administrative tasks, such as the following:

  • Display the current configuration

  • Back up the current configuration

  • Restore the current configuration

  • Display events

  • Reboot the sensor

  • Display technical-support information

  • Capture network packets

Some of these tasks will be covered in Chapter 12, "Verifying System Configuration." For detailed information on how to perform these administrative tasks, refer to the CLI documentation at Cisco.com (http://www.cisco.com/go/ids).

Configuration Tasks

The CLI provides you with a textual interface that enables you to configure essentially every facet of the sensor's configuration, such as the following:

  • Configure system variables

  • Configure event filters

  • View signature engines

  • Configure virtual sensor system variables

  • Tune signature engines

  • Generate IP logs

Configuring these tasks through the CLI, however, is not a simple task. Most people prefer to use a graphical interface, such as Cisco IPS Device Manager, to configure these parameters. Numerous chapters in this book explain how to configure these characteristics of your sensor by using the Cisco IPS Device Manager. For complete documentation on Cisco IDS version 5.0 CLI, refer to the documentation at Cisco.com (http://www.cisco.com/go/ids).



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net