New vulnerabilities that pose a threat to networks and hosts are discovered every day. Cisco regularly releases signature updates to enhance the capability of your sensors to detect these new attacks by adding new attack signatures to the sensor's database. Cisco also releases service packs to improve the sensor's intrusion-prevention capabilities.
You can install these software updates either automatically or manually (using the sensor's command-line interface [CLI] or the IPS Device Manager [IDM]). Besides installing software updates, you may periodically need to troubleshoot the operation of your sensor. The sensor's CLI provides several commands that inform you about the operation of your sensor and enable you to perform some basic troubleshooting on your sensor.
Cisco is continually enhancing the capabilities of its IPS software. New signatures are being added to address new attacks as they are discovered. These improvements are deployed via the following two types of software releases:
The file format of new software releases indicates the type of software update along with its version information. In addition, you have several ways in which you can retrieve and install the updates on your sensors.
IPS Software File Format
The Cisco IPS software releases have a filename that comprises the following components (see Figure 11-1):
Figure 11-1. Cisco IPS Software File Naming Convention
Cisco releases the following two types of software updates:
Service packs are updates to the actual sensor software, enhancing the functionality of your sensor with new capabilities. A service pack is recognizable by the keyword sp in the filename.
You may also encounter a minor version update. This file is indicated by the min keyword in the filename (instead of the sp keyword). A minor update typically includes only small enhancements to the sensor's functionality (along with bug fixes), whereas a major update usually includes significant changes to the sensor's functionality along with bug fixes.
Unlike service packs, signature updates do not add new features to your sensor's software. They are released to add new signatures to your sensor. Since Cisco IPS uses multiple signature engines, it is easy to add new signatures without actually changing the software that the sensor is running. A signature update is recognizable by the keyword sig in the filename.
Cisco IPS Version
The Cisco IPS version comprises the following two numbers:
The major version is listed first and is followed by the minor version. The two numeric values are separated by a decimal. For instance, if the Cisco IPS version is 4.1, the major version is 4 and the minor version is 1.
Service Pack Level
Between major and minor software releases, Cisco releases service packs. Service packs are usually released to patch the Cisco IPS software. These updates are incremental improvements to the Cisco IPS software. For instance, 4.0-2 indicates that there have been two service packs for the 4.0 software release.
As signatures are added to Cisco IPS, it is important to know which signatures are included in which software versions. Therefore, the software updates include a signature version that indicates which signatures are included in the update. The signature version is a number, such as 42, preceded by an S.
The extension can be one of the following values:
The rpm.pkg extension contains an executable file that contains either a signature update or a new service pack.
The readme (or readme.txt) extension is a text file that provides you with relevant information about a specific service pack or signature update. Reading this information before you update your sensor is important to maintaining the correct operation of your Cisco IPS since it indicates any problems associated with the new software. The readme files also indicate any hardware requirements as well.
The zip extension (indicating standard zip compression format) is used by the updates that you need to apply to IDS MC so that it can understand the new signatures that are added to a sensor. IDS MC needs this information because it maintains a copy of the sensor's configuration that it enables the user to modify.
Software Update Guidelines
To ensure the correct operation of your Cisco IPS sensors, you need to follow several guidelines when updating you sensor software. The guidelines are divided into the following tasks:
An important step in updating your sensors is to read the release notes. These documents contain important caveats and known issues that apply to the software update. By understanding these issues beforehand, you can make an informed decision as to whether these factors impact the installation of the new software on your sensors.
Service pack updates must be applied in order since they are incremental updates to the sensor software. For instance, to go from 3.1-0 to 3.1-2, you must first apply 3.1-1 and then apply 3.1-2. Signature updates are cumulative and do not have the same restriction.
Upgrading Sensor Software
You can upgrade your sensor software through the following two mechanisms:
Saving Current Configuration
When you upgrade your sensor software, it automatically preserves your current configuration information. Backing up the current configuration before you perform the upgrade, however, is a good safety measure in case the image becomes corrupted during the upgrade. To back up the current configuration to a remote system using the sensor's CLI, use the following command:
copy current-config destination-url
When you specify the destination URL, you use one of the following protocols (for more information on specifying URLs refer to the following section, "Software Installation via CLI"):
You can also maintain a backup of the current configuration on the sensor by using the following command:
copy current-config backup-config
Regularly saving a copy of your sensor's configuration is useful in case you ever have to re-image your sensor. When you re-image your sensor, you lose most of your configuration information. Having a backup of the configuration enables you to easily restore the original configuration.
Software Installation via CLI
To upgrade the sensor software from the sensor's CLI, you first need to have access to the update file. Using the CLI, you can use the following methods to access the update file:
Next you need to log in to the sensor with an account that has been assigned the Administrator role, since running the upgrade command requires administrative privileges. The syntax of the upgrade command is as follows:
Using this single command, you can apply both service packs as well as signature updates. The source URL indicates where the update file is stored. The URL syntax varies slightly, depending on the type of server where the update resides. Use the following guidelines when designating the source of the update file:
The sensor cannot download signature updates and service packs directly from Cisco.com. You must download the signature update or service pack from Cisco.com to your FTP server and then configure the sensor to download it from your FTP server.
The upgrade command prompts you for the password that is required to authenticate the file transfer. Instead of specifying all of the parameters, you can also just supply the server type, as in the following example:
When you just specify the server type, you will be prompted for the rest of the fields as in the command sequence in Example 11-1.
Example 11-1. Upgrading Sensor Software via the Sensor CLI
sensor(config)# upgrade ftp: User: stat Server's IP Address: 10.89.152.40 Port: File name: /tftpboot/IDS/IDS-K9-min-4.1-0.2-S42-0.2-.rpm.pkg Password: ***** Warning: Executing this command will apply a minor version upgrade to the application partition. The system may be rebooted to complete the upgrade. Continue with upgrade? : yes
Software Installation Using IDM
Instead of using the sensor's CLI, you can also use the IDM interface to apply service packs and signature updates to your sensor. Again, you need to first download the update to your own server. Then you need to perform the following steps (when using IDM to apply software updates to your sensor):
Configuring Automatic Software Updates Using IDM
Using IDM, you can configure the sensor to automatically update the software on your sensor. You basically configure your sensor to regularly check a specific server (controlled by your organization) for software updates by using one of the following intervals:
You can also configure your sensor to automatically update the software on your sensor from the sensor CLI by using the auto-upgrade-option command that is available in the "service host" configuration mode.
If you choose to update hourly, you must specify a frequency (in hours) at which the sensor will check for new software updates. Your other option is to specify a day of the week on which to check for new software updates. For both of these options, you must also specify the time of day on which you want the actual update to be performed. When a new software update is found on the server, the sensor will wait to apply the software update until the time of day that you have specified.
To use the automatic update mechanism available via IDM, you need to perform the following steps:
Downgrading an Image
In some situations, you may need to return to a previous sensor software version. This capability enables you to test a new software release on your sensor but provides protection in that you can always revert to your previous sensor software version if you have any problems. The downgrade sensor CLI command provides this functionality. The syntax for this command is as follows:
When you run the downgrade command, you remove the software installed by the most recent use of the upgrade command. Using the downgrade command, you can restore only the sensor software image that the sensor was running before the last upgrade. The sensor software has no visibility past the previous image running on the sensor, so you cannot run the downgrade command multiple times to return to images prior to the previous image that was running on the sensor.
You can determine which software the downgrade command will remove by running the show version command on the sensor's CLI and examining the Upgrade History section.
Updating the Sensor's License
Your Cisco IPS version 5.0 sensor software will function without a valid license key. To install software updates, however, you will need to configure your sensor with a valid license key. You can configure you sensor with a license key from the Cisco.com licensing server, or you can specify a license file on your local system.
When requesting a license key from Cisco.com (http://www.cisco.com/go/license), you will need to provide the serial number for the sensor. You can obtain the serial number by using the show version sensor CLI command. The serial number is also displayed on the IDM Licensing configuration screen.
To update your sensor license by using IDM, perform the following steps:
If your sensor's software becomes corrupted, you will need to re-image your sensor to restore its software to the correct operational condition. When you re-image a sensor, all accounts are removed and the default Cisco account is reset to the default password (cisco). You must also initialize the sensor again by running the setup command.
Before re-imaging your sensor, you should back up the current configuration. You can use the CLI command copy current-config destination-URL.
When using the recover application-partition CLI command, you replace all the applications on your sensor with copies of these programs stored on the recovery partition. After using the recover application-partition command, all of your configuration information on the sensor is removed except for the network parameters, such as the IP address.
Signature updates and service packs are not automatically applied to the recovery partition. Therefore, you need to keep your recovery partition updated with signatures and service packs. Otherwise, you will need to use the upgrade command (after using the recover command) to reapply the signature updates and service packs. You can update the recovery partition by using the upgrade command with an image specifically created for the recovery partition. These images contain an r in their name, as in IPS-K9-r-1.1-a-5.0-0.30.pkg.
Restoring Default Sensor Configuration
Sometimes you may want to remove all of the changes that you have performed to a sensor's configuration. This option is helpful if you want to reconfigure a sensor and guarantee that you are starting at the initial default settings. You may do this when you are initially deploying sensors on your network and run into a problem with the configuration or when you are moving a sensor from one location in the network to another and want to reconfigure the sensor from its default configuration.
Restoring Default Configuration Using the CLI
To return a sensor to all of the default settings, you use the default service command. This command allows you to selectively reset portions of the sensor configuration to their default settings by specifying one of the service keywords shown in Table 11-2.
The service keywords correspond to the same keywords you use when configuring the sensor with the service command whose syntax is as follows:
Restoring Default Configuration Using IDM
When using IDM to restore the default sensor configuration, you do not have the option of selectively clearing portions of the sensor's configuration. Instead, all of the default parameters for the sensor's configuration are restored. Restoring the default sensor configuration by using IDM involves the following steps:
Resetting and Powering Down the Sensor
When operating your Cisco IPS, you will occasionally need to either reset or power down your Cisco IPS devices. You can perform both of these operations at the sensor CLI and through the IDM graphical interface.
Resetting the Sensor Using the Sensor CLI
From the sensor CLI, you can reset or power down the sensor by using the reset command. The syntax for the reset command is as follows:
Using the reset command without any command line options causes the sensor to reboot. Before rebooting the sensor, however, you must confirm the operation by entering yes in response to the following prompt:
Ids4240# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? :
Adding the powerdown option causes the reset command to shut down the sensor instead of rebooting the sensor.
To execute the reset command, your account must be assigned the Administrator role.
Resetting the Sensor Using IDM
From the IDM graphical interface, you can also reset or power down the sensor. To reset the sensor from IDM, perform the following steps:
The process for shutting down the sensor is similar to the process for rebooting the sensor, except that you click on Shutdown Sensor instead of Reboot Sensor.