Basic Sensor Configuration In every Cisco IPS deployment, basic sensor configuration tasks enable you to effectively use your Cisco IPS to monitor and protect your network. This chapter focuses on the following configuration tasks: Sensor Host Configuration Tasks Besides configuring the IPS functionality on your sensors, you also need to configure characteristics of the sensor itself, such as the following: Allowed hosts User accounts Time parameters Secure Shell (SSH) hosts
Configuring Allowed Hosts During the initial sensor configuration using the setup CLI command, you define the basic sensor network parameters (such as IP address and default gateway) as well as change the list of hosts allowed to access the sensor. Only hosts that have been allowed via access list entries are allowed to manage your sensors. To configure the systems (via the IDM interface) that are allowed to access the sensor's command and control interface, perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Sensor Setup category are not displayed, click on the plus sign to the left of Sensor Setup.
| Step 4. | Click on Allowed Hosts to access the Allowed Hosts configuration screen (see Figure 4-1). This screen displays the current list of allowed hosts.
Figure 4-1. Allowed Hosts Configuration Screen 
| Step 5. | To add a host or network to list of allowed hosts, click on Add to display the Add Allowed Host popup window (see Figure 4-2).
Figure 4-2. Add Allowed Hosts Popup Window 
| Step 6. | Enter the IP address and network mask for the host or network you want to add to the Allowed Hosts list.
| Step 7. | Click on OK to add the new entry to the Allowed Hosts list (or click on Cancel to abort the addition).
| Step 8. | Click on Apply to apply the changes to the sensor's configuration.
|
Note Besides adding new entries to the Allowed Hosts list, you can also edit and delete existing entries by highlighting an entry and then clicking on either Edit or Delete. When removing access list entries, you can remove access for the system that is currently accessing the sensor via IDM. If you do this, you will no longer be able to access the sensor once you apply the changes (the sensor does not wait for the IDM session to end before the access changes are applied).
Configuring Sensor User Accounts When accessing your sensor (via the web interface, the console port, Telnet, or SSH), you authenticate by using a username and password. The role of the user account that you use to access the sensor determines the operations that you are allowed to perform on the sensor. Each account is assigned one of the following roles (explained in detail in the "User Roles" section of Chapter 2, "IPS Command-Line Interface"): Administrator Operator Viewer Service
Note The Service role can be assigned to only one user account on your sensor. It is provided solely as an account that the Technical Assistance Center (TAC) uses to troubleshoot operational problems on your sensor.
To add a user account with Administrator privileges to your sensor using IDM perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Sensor Setup category are not displayed, click on the plus sign to the left of Sensor Setup.
| Step 4. | Click on Users to access the Users configuration screen (see Figure 4-3). This screen displays the current list of user accounts.
Figure 4-3. Users Configuration Screen 
| Step 5. | To add a new user account, click on Add to display the Add User popup window (see Figure 4-4).
Figure 4-4. Add User Popup Window 
Note If your browser is configured to block popup windows, this will interfere with the operation of IDM since many operations (such as Add User configuration) are displayed in a popup window. Therefore, for IDM to operate correctly, you will need to enable popup windows for the sensor's IP address. | Step 6. | Enter the name of the new account in the Username field.
| Step 7. | Specify the user role for the new account by using the User Role pull-down menu.
| Step 8. | Next, specify the password for the account in the Password field. You will need to re-enter the same password in the Confirm Password field.
Note Your password must be at least six characters long and contain at least five different characters. If your password is less than six characters long, you will see an Error popup window (see Figure 4-5), and you will not be able to add the new account. These are the minimum password requirements; passwords should also follow guidelines in your security policy for devices on your network. Figure 4-5. Password Error Popup Window 
| Step 9. | Click on OK to add the new account (or click on Cancel to abort the addition).
| Step 10. | Click on Apply to apply the changes to the sensor's configuration.
|
Configuring the Sensor's Time Parameters Maintaining the correct time on your sensors is important to help correlate events across multiple devices on your network. You can configure your sensor's time manually, or you can use a Network Time Protocol (NTP) server. When configuring time settings on your sensor, you can make the following major changes: All of the time settings are configured via the Time sensor configuration screen (see Figure 4-6). Figure 4-6. Time Configuration Screen 
Manually Setting the Clock To manually set the sensor's internal clock, you need to perform the following steps: Step 1. | Click on Sensor Setup > Time from the IDM configuration options to access the Time configuration screen.
| Step 2. | Change the information in either the Date or Time fields.
| Step 3. | Click on Apply Time to Sensor to propagate the time changes to the sensor.
|
Note If you make changes to both the actual time (setting the sensor's clock to a new time value) and the sensor's time configuration parameters (such as time zone and summertime settings), click on Apply Time to Sensor before you click on Apply. Failing to do so will cause you configuration changes to be saved, but your changes to the sensor's clock settings will be lost.
Configuring the NTP Server Settings Instead of manually configuring the time on your sensor, you can synchronize the time on your network devices by using an NTP server. To configure your sensor to retrieve its time from an NTP server, perform the following steps: Step 1. | Click on Sensor Setup > Time from the IDM configuration options to access the Time configuration screen.
| Step 2. | Enter the IP address of the NTP server in the IP Address field.
| Step 3. | Enter the key to be used to access the NTP server in the Key field.
| Step 4. | Enter the identification number of the key in the Key ID field.
| Step 5. | Click on Apply to change the configuration on the sensor.
|
Configuring the Time Zone Using time zones enables you to have the correct local time on your sensors yet easily correlate events from sensors across multiple geographic regions. To adjust a sensor's time based on the local time zone, you need to change the time zone of the sensor. Changing the time zone on the sensor involves the following steps: Step 1. | Click on Sensor Setup > Time from the IDM configuration options to access the Time configuration screen.
| Step 2. | Select the appropriate time zone from the pull-down menu for the Zone Name field.
Note When you select a preconfigured time zone, the UTC Offset field is automatically filled in with the correct value. | Step 3. | Click on Apply to change the configuration on the sensor.
|
Note Besides using the preconfigured time zone values, you can also configure a custom time zone by typing a name in the Zone Name field and specifying the appropriate UTC Offset.
Configuring the Summertime Settings During the summer months, many regions change time to what is commonly called daylight savings time. Configuring the summertime settings involves setting a start date and an end date as well as defining what day and time the change is to occur. When defining the dates, you can use one of the following formats: With Recurring format, you specify a date based on the three parameters shown in Table 4-2. Using the Date format, you specify only the month and day (such as "October 23"). Table 4-2. Recurring Date ParametersParameter | Valid Values |
|---|
Month | January, February, March, April, May, June, July, August, September, October, November, December | Day of the week | Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday | Week of the month | First, Second, Third, Fourth, Fifth, Last |
You can configure your sensor to automatically change its time according to your summertime schedule by performing the following steps: Step 1. | On the IDM configuration options, click on Sensor Setup > Time to access the Time configuration screen.
| Step 2. | To enable your sensor to alter its time during the summer months, check the Enable Summertime check box.
| Step 3. | To configure the summertime parameters, click on the Configure Summertime button to access the Configure Summertime configuration screen (see Figure 4-7).
Figure 4-7. Configure Summertime Configuration Screen 
| Step 4. | Select the time zone by using the pull-down menu next to the Summer Zone Name field.
Note Selecting the time zone in the Summer Zone Name field automatically fills in the Offset field. | Step 5. | Enter the time at which the starting-day change takes place by entering a value in the Start Time field.
| Step 6. | Enter the time at which the ending-day change takes place by entering a value in the End Time field.
| Step 7. | If the time change is recurring, select the Recurring radio button. Otherwise, select the Date radio button to indicate that the time change occurs on a specific date.
| Step 8. | Using the pull-down menus, specify the date on which the time change starts.
| Step 9. | Using the pull-down menus, specify the date on which the time change ends.
| Step 10. | Click on Apply to change the configuration on the sensor.
|
Configuring SSH Hosts When you use your sensors to perform blocking, they log in to your network infrastructure devices by using SSH. Before you can establish an SSH session from your sensor to another device, you must add the device's public key to the sensor's list of known SSH hosts. Presently, the IPS sensor's CLI is limited to defining SSH version 1 public keys (meaning that the target system the sensor is connecting to must be running SSH version 1). When connecting to the sensor using SSH, however, your client system can be running SSH version 1 or 2 since the sensor's SSH server can handle both versions. To add systems to the sensor's known SSH host list (using the IDM graphical interface) perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Sensor Setup category are not displayed, click on the plus sign to the left of Sensor Setup.
| Step 4. | If the items under the SSH category are not displayed, click on the plus sign to the left of SSH.
| Step 5. | Click on Sensor Setup > SSH > Known Hosts from the IDM configuration options to access the Known Hosts configuration screen (see Figure 4-8).
Figure 4-8. SSH Known Hosts Configuration Screen 
| Step 6. | Click on Add to access the Add Known Host Key popup window (see Figure 4-9).
Figure 4-9. Add Known Host Key Window 
| Step 7. | Enter information for the fields listed in Table 4-3.
Table 4-3. Known Host Key ParametersParameter | Description |
|---|
Modulus Length | ASCII decimal integer in the range 511 to 2048 | Public Exponent | ASCII decimal integer in the range 3 to 232 | Public Modulus | ASCII decimal integer, x, such that (2key-modulus-length) < x < (2(key-modulus-length + 1)) |
Note Instead of manually specifying the known host key parameters, you can retrieve this information after entering the IP address by clicking on Retrieve Host Key. This causes the sensor to connect to the device over the network by using SSH and querying the remote system for its unique host ID key. Although this mechanism is quick, for security reasons you should still manually verify that the key ID presented is the correct one for the remote system (to prevent a man-in-the-middle attack where a rogue system impersonates the remote system). | Step 8. | Click on OK to save the new known host entry.
| Step 9. | Click on Apply to save the configuration information to the sensor.
Note For information on configuring SSH known hosts by using the sensor's CLI, refer to Chapter 2. |
Interface Configuration Tasks Your IPS sensors protect your network by processing the traffic they receive on their monitoring interfaces. With Cisco IPS version 5.0, configuring the sensor's interfaces to process network traffic involves various tasks, such as the following: Enabling monitoring interfaces Editing monitoring interface parameters Configuring inline interface pairs Configuring inline software bypass Configuring traffic flow notifications
Enabling Monitoring Interfaces By default, all of the monitoring interfaces on your sensor are disabled. Before you can use the interfaces for either promiscuous or inline processing, you must enable them. To enable monitoring interfaces on your sensor, perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Interface Configuration category are not displayed, click on the plus sign to the left of Interface Configuration.
| Step 4. | Click on Interfaces to access the Interfaces configuration screen (see Figure 4-10). This screen displays the state of the interfaces on the sensor.
Figure 4-10. Interfaces Configuration Screen 
| Step 5. | Highlight an interface by clicking on an interface name.
| Step 6. | Click on Enable to enable the highlighted interface.
Note You can click on Select All to highlight all of the interfaces, or you can hold the CTRL key while clicking on interfaces to select multiple interfaces. Then you can enable all of the highlighted interfaces by clicking on Enable. | Step 7. | Click on Apply to save the configuration changes to the sensor.
|
Editing Monitoring Interface Parameters Besides enabling monitoring interfaces, you can also change the following characteristics for each interface: The interface description is simply a textual description that you can use to describe the specific monitoring interface. The interface speed indicates the bandwidth that the interface is configured to support. The options available are as follows: The interface duplex indicates whether the interface is capable of transmitting and receiving data simultaneously (full duplex) or not simultaneously (half duplex). To use a monitoring interface to examine network traffic, you must enable the interface. The alternate TCP-reset interface enables you to specify an interface (different from the monitoring interface) that the sensor will use to transmit TCP reset traffic. Note In certain sensor configurations (such as those using IDSM2), you cannot send TCP-reset traffic out the monitoring interface. If you want to use the TCP-reset functionality in these configurations, you need to send the TCP resets through the alternate TCP-reset interface. With the IDSM2, port 1 is dedicated to providing an interface to support sending TCP-reset traffic. You may also have to configure an alternate TCP-reset interface in certain configurations when your switch traffic capture mechanism (for promiscuous mode monitoring) does not allow the port receiving the captured traffic to also send traffic.
To edit the properties of an interface, perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Interface Configuration category are not displayed, click on the plus sign to the left of Interface Configuration.
| Step 4. | Click on Interfaces to access the Interfaces configuration screen (see Figure 4-10). This screen displays the state of the interfaces on the sensor.
| Step 5. | Highlight an interface by clicking on its name.
| Step 6. | Click on Edit to edit the properties of the highlighted interface by using the Edit Interface popup window (see Figure 4-11).
Figure 4-11. Edit Interface Popup Window 
| Step 7. | Enter the interface description in the Description field.
| Step 8. | To enable the interface, click on the Yes radio button across from Enabled.To disable the interface, click on the No radio button.
| Step 9. | Select the duplex for the interface by using the pull-down menu for the Duplex field. Your options are Auto, Full, and Half.
| Step 10. | Select the speed for the interface by using the pull-down menu for the Speed field.
| Step 11. | If you want to use an alternate interface for TCP resets, click on the Use Alternate TCP Reset Interface check box. Then specify the interface by using the pull-down menu across from Select Interface.
| Step 12. | Click on OK to save your changes.
| Step 13. | Click on Apply to save your changes to the sensor's configuration.
|
Configuring Inline Interface Pairs When operating in inline mode, your sensor bridges the traffic between two distinct virtual LANs VLAN or network interfaces. To perform this bridging requires the use of two interfaces on the sensor. These two interfaces are known as an inline interface pair. To configure inline interface pairs, perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Interface Configuration category are not displayed, click on the plus sign to the left of Interface Configuration.
| Step 4. | Click on Interface Pairs to access the Interface Pairs configuration screen (see Figure 4-12). This screen displays interface pairs configured on the sensor.
Figure 4-12. Interface Pairs Configuration Screen 
| Step 5. | Click on Add to access the Add Interface Pair popup window (see Figure 4-13).
Figure 4-13. Add Interface Pair Popup Window 
| Step 6. | Enter a name for the interface pair being added in the Interface Pair Name field.
| Step 7. | Highlight the two interfaces to be used in the interface pair.
| Step 8. | Click on OK to save the interface pair.
| Step 9. | Click on Apply to save the changes to the sensor's configuration.
|
Configuring Inline Software Bypass When operating in inline mode, your sensor bridges the traffic between two devices or VLANs. Similar to a switch in your network, the sensor transfers traffic from one inline sensor interface to the other (after the packet has been inspected). If the sensor software fails or you update the software on your sensor, you need to decide how the sensor will pass traffic (for the inline processing interfaces) while the sensor is not operating. You can configure the sensor to use one of the following three software bypass options: Auto Bypass inspection when analysis engine is stopped Off Always inspect inline traffic On Never inspect inline traffic
Auto bypass mode (the default mode) causes your sensor to automatically bypass inspection whenever the sensor's analysis engine is stopped. This will allow your network traffic to continue to travel through the sensor even if the sensor is not operating. Configuring the bypass mode to Off forces your sensor to inspect network traffic. In this mode, if the analysis engine is stopped, network traffic will not be allowed to pass through the sensor. Therefore, while the analysis engine is stopped, the operation of your network will be impacted because the traffic flow through the sensor also stops. The final bypass mode, On, configures your sensor to never inspect inline traffic. In this mode, the sensor is physically connected as a Layer 2 forwarding device, but the traffic is not inspected. In this mode, the sensor operates purely as a Layer 2 bridge. You should generally use this mode only when debugging problems with your network, because it removes the functionality provided by the sensor. Configuring the bypass mode on your sensor involves the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Interface Configuration category are not displayed, click on the plus sign to the left of Interface Configuration.
| Step 4. | Click on Bypass to access the Bypass configuration screen (see Figure 4-14). This screen displays the currently configured software bypass mode.
Figure 4-14. Bypass Configuration Screen 
| Step 5. | Select the correct bypass mode by using the pull-down menu for the Bypass Mode field.
| Step 6. | Click on Apply to save the changes to the sensor's configuration.
|
Configuring Traffic Flow Notifications You can configure your sensor to generate event messages when the traffic flow across an interface changes based on the following two traffic characteristics: Table 4-4 shows the parameters that you can configure with respect to traffic flow notifications. Table 4-4. Traffic Flow Notification ParametersField | Description |
|---|
Missed Packet Threshold | Specifies the percentage of packets that must be missed during the notification interval before a notification is generated | Notification Interval | Specifies the interval in seconds that the sensor uses for the missed packets percentage notification | Interface Idle Threshold | Specifies the number of seconds that an interface must be idle (and not receiving traffic) before a notification is generated |
Note Each of the Cisco IPS sensors has a maximum amount of network traffic that it can analyze. For instance, the IDS 4240 can analyze a maximum of 250 Mbps of network traffic. The monitoring interfaces, however, can operate at 1 Gbps. Therefore, it is possible for the sensor to receive traffic faster than it can examine it. If a sensor interface is receiving packets that are not processed (in other words, the packets are getting dropped at the interface because they are arriving too quickly for the sensor to examine them), the number of packets that were not processed is recorded in the interface statistics. This information is used to calculate the Missed Packet Threshold. The Missed Packet Threshold notification enables you to determine how often and to what extent your network traffic is exceeding the capacity of the sensor that you are using to monitor the traffic. When it exceeds the capacity of your sensor, the traffic can enter your network without being examined by the sensor.
To configure the sensor's traffic flow notification parameters, perform the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Interface Configuration category are not displayed, click on the plus sign to the left of Interface Configuration.
| Step 4. | Click on Traffic Flow Notifications to access the Traffic Flow Notifications configuration screen (see Figure 4-15). This screen displays the currently configured traffic flow notification settings.
Figure 4-15. Traffic Flow Notifications Configuration Screen 
| Step 5. | Enter the threshold for missed packets in the Missed Packets Threshold field.
| Step 6. | Enter the number of seconds used for the missed packet percentage threshold in the Notification Interval field.
| Step 7. | Enter the allowed number of idle seconds in the Interface Idle Threshold field.
| Step 8. | Click on Apply to save the changes to the sensor's configuration.
|
Analysis Engine Configuration Tasks After configuring the interfaces on your sensor, you must assign them to a virtual sensor before your sensor can use the interfaces to analyze network traffic. You can assign both promiscuous interfaces and inline interface pairs to the same virtual sensor. This capability enables you to have a sensor performing inline functionality at one location at the same time that it is passively monitoring another location in your network. Note Currently the sensor software supports only a single virtual sensor (vs0). In the future, however, Cisco IPS sensors may support multiple virtual sensors. These virtual sensors will enable you to make one physical sensor appear to be multiple sensors (each with unique configuration settings). This concept is similar to that of virtual firewalls, where a single physical firewall can be configured (via software) to operate as multiple virtual firewalls that each have unique configuration parameters.
Note Passively monitoring network traffic refers to operating an interface in promiscuous mode. Using a traffic-capture mechanism (such as Switched Port Analyzer [SPAN] ports), you forward a copy of the network traffic to be analyzed to the specific sensor interface (operating in promiscuous mode). The sensor then examines all of the traffic. Since the traffic is being capture passively, however, the sensor can only react to the traffic, meaning that initial attack packets will still reach the destination system until the sensor initiates an IP-blocking action.
Assigning an interface to a virtual sensor involves the following steps: Step 1. | Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
| Step 2. | Click on the Configuration icon to display the list of configuration tasks.
| Step 3. | If the items under the Analysis Engine category are not displayed, click on the plus sign to the left of Analysis Engine.
| Step 4. | Click on Virtual Sensor to access the Virtual Sensor configuration screen (see Figure 4-16). This screen displays the currently assigned interfaces for the virtual sensor.
Figure 4-16. Virtual Sensor Configuration Screen 
| Step 5. | Click on Edit to access the Edit Virtual Sensor popup window (see Figure 4-17).
Figure 4-17. Edit Virtual Sensor Configuration Screen 
| Step 6. | Highlight an interface by clicking on it.
| Step 7. | Click on Add>> to assign the highlighted interface to the virtual sensor (or click on <<Remove to remove an already assigned interface).
| Step 8. | Click on OK to save the changes.
| Step 9. | Click on Apply to save the changes to the sensor's configuration.
|
|
