Foundation and Supplemental Topics

Sensor Maintenance

New vulnerabilities that pose a threat to networks and hosts are discovered every day. Cisco regularly releases signature updates to enhance the capability of your sensors to detect these new attacks by adding new attack signatures to the sensor's database. Cisco also releases service packs to improve the sensor's intrusion-prevention capabilities.

You can install these software updates either automatically or manually (using the sensor's command-line interface [CLI] or the IPS Device Manager [IDM]). Besides installing software updates, you may periodically need to troubleshoot the operation of your sensor. The sensor's CLI provides several commands that inform you about the operation of your sensor and enable you to perform some basic troubleshooting on your sensor.

Software Updates

Cisco is continually enhancing the capabilities of its IPS software. New signatures are being added to address new attacks as they are discovered. These improvements are deployed via the following two types of software releases:

• Service packs

• Signature updates

The file format of new software releases indicates the type of software update along with its version information. In addition, you have several ways in which you can retrieve and install the updates on your sensors.

IPS Software File Format

The Cisco IPS software releases have a filename that comprises the following components (see Figure 11-1):

• Software type

• Cisco IPS version

• Service pack level

• Signature version

• Extension

Software Type

Cisco releases the following two types of software updates:

• Service packs

• Signature updates

Service packs are updates to the actual sensor software, enhancing the functionality of your sensor with new capabilities. A service pack is recognizable by the keyword sp in the filename.

Note

You may also encounter a minor version update. This file is indicated by the min keyword in the filename (instead of the sp keyword). A minor update typically includes only small enhancements to the sensor's functionality (along with bug fixes), whereas a major update usually includes significant changes to the sensor's functionality along with bug fixes.

Unlike service packs, signature updates do not add new features to your sensor's software. They are released to add new signatures to your sensor. Since Cisco IPS uses multiple signature engines, it is easy to add new signatures without actually changing the software that the sensor is running. A signature update is recognizable by the keyword sig in the filename.

Cisco IPS Version

The Cisco IPS version comprises the following two numbers:

• Major version

• Minor version

The major version is listed first and is followed by the minor version. The two numeric values are separated by a decimal. For instance, if the Cisco IPS version is 4.1, the major version is 4 and the minor version is 1.

Service Pack Level

Between major and minor software releases, Cisco releases service packs. Service packs are usually released to patch the Cisco IPS software. These updates are incremental improvements to the Cisco IPS software. For instance, 4.0-2 indicates that there have been two service packs for the 4.0 software release.

Signature Version

As signatures are added to Cisco IPS, it is important to know which signatures are included in which software versions. Therefore, the software updates include a signature version that indicates which signatures are included in the update. The signature version is a number, such as 42, preceded by an S.

Extension

The extension can be one of the following values:

• rpm.pkg

• readme or readme.txt

• zip

The rpm.pkg extension contains an executable file that contains either a signature update or a new service pack.

The readme (or readme.txt) extension is a text file that provides you with relevant information about a specific service pack or signature update. Reading this information before you update your sensor is important to maintaining the correct operation of your Cisco IPS since it indicates any problems associated with the new software. The readme files also indicate any hardware requirements as well.

The zip extension (indicating standard zip compression format) is used by the updates that you need to apply to IDS MC so that it can understand the new signatures that are added to a sensor. IDS MC needs this information because it maintains a copy of the sensor's configuration that it enables the user to modify.

Software Update Guidelines

To ensure the correct operation of your Cisco IPS sensors, you need to follow several guidelines when updating you sensor software. The guidelines are divided into the following tasks:

• Read the release notes

• Download the appropriate updates to your server

• Install the software update on the sensor

An important step in updating your sensors is to read the release notes. These documents contain important caveats and known issues that apply to the software update. By understanding these issues beforehand, you can make an informed decision as to whether these factors impact the installation of the new software on your sensors.

Note

Service pack updates must be applied in order since they are incremental updates to the sensor software. For instance, to go from 3.1-0 to 3.1-2, you must first apply 3.1-1 and then apply 3.1-2. Signature updates are cumulative and do not have the same restriction.

Upgrading Sensor Software

You can upgrade your sensor software through the following two mechanisms:

• Sensor's CLI

• IDM

Saving Current Configuration

When you upgrade your sensor software, it automatically preserves your current configuration information. Backing up the current configuration before you perform the upgrade, however, is a good safety measure in case the image becomes corrupted during the upgrade. To back up the current configuration to a remote system using the sensor's CLI, use the following command:

copy current-config destination-url

When you specify the destination URL, you use one of the following protocols (for more information on specifying URLs refer to the following section, "Software Installation via CLI"):

• FTP

• HTTP/HTTPS

• Secure Copy (SCP)

You can also maintain a backup of the current configuration on the sensor by using the following command:

copy current-config backup-config

Note

Regularly saving a copy of your sensor's configuration is useful in case you ever have to re-image your sensor. When you re-image your sensor, you lose most of your configuration information. Having a backup of the configuration enables you to easily restore the original configuration.

Software Installation via CLI

To upgrade the sensor software from the sensor's CLI, you first need to have access to the update file. Using the CLI, you can use the following methods to access the update file:

• FTP

• HTTP/HTTPS

• SCP

Next you need to log in to the sensor with an account that has been assigned the Administrator role, since running the upgrade command requires administrative privileges. The syntax of the upgrade command is as follows:

upgrade source-URL-of-update

Using this single command, you can apply both service packs as well as signature updates. The source URL indicates where the update file is stored. The URL syntax varies slightly, depending on the type of server where the update resides. Use the following guidelines when designating the source of the update file:

• ftp://username@ipaddress/RelativeDirectory/filename

• ftp://username@ipaddress//AbsoluteDirectory/filename

• https://username@ipaddress/directory/filename

• http://username@ipaddress/directory/filename

• scp://username@ipaddress/RelativeDirectory/filename

• scp://username@ipaddress//AbsoluteDirectory/filename

Note

The sensor cannot download signature updates and service packs directly from Cisco.com. You must download the signature update or service pack from Cisco.com to your FTP server and then configure the sensor to download it from your FTP server.

The upgrade command prompts you for the password that is required to authenticate the file transfer. Instead of specifying all of the parameters, you can also just supply the server type, as in the following example:

upgrade fttp:

When you just specify the server type, you will be prompted for the rest of the fields as in the command sequence in Example 11-1.

Example 11-1. Upgrading Sensor Software via the Sensor CLI

sensor(config)# upgrade ftp: User: stat Server's IP Address: 10.89.152.40 Port[21]: File name: /tftpboot/IDS/IDS-K9-min-4.1-0.2-S42-0.2-.rpm.pkg Password: ***** Warning: Executing this command will apply a minor version upgrade to the  application partition. The system may be rebooted to complete the upgrade. Continue with upgrade? : yes 

Software Installation Using IDM

Instead of using the sensor's CLI, you can also use the IDM interface to apply service packs and signature updates to your sensor. Again, you need to first download the update to your own server. Then you need to perform the following steps (when using IDM to apply software updates to your sensor):

Step 1.	Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
Step 2.	Click on the Configuration icon to display the list of configuration tasks.
Step 3.	Click on Update Sensor to access the Update Sensor configuration screen(see Figure 11-2). Figure 11-2. Update Sensor Configuration Screen
Step 4.	Using the pull-down menu for the URL field, select the transport protocol(The default is ftp).
Step 5.	In the second half of the URL field, enter the location of the update file.
Step 6.	Enter the username to access the update file in the Username field.
Step 7.	Enter the password needed for the account specified in the Username field in the Password field.
Step 8.	Click on Update Sensor to apply the update to the sensor.

Configuring Automatic Software Updates Using IDM

Using IDM, you can configure the sensor to automatically update the software on your sensor. You basically configure your sensor to regularly check a specific server (controlled by your organization) for software updates by using one of the following intervals:

• Hourly

• Daily

Note

You can also configure your sensor to automatically update the software on your sensor from the sensor CLI by using the auto-upgrade-option command that is available in the "service host" configuration mode.

If you choose to update hourly, you must specify a frequency (in hours) at which the sensor will check for new software updates. Your other option is to specify a day of the week on which to check for new software updates. For both of these options, you must also specify the time of day on which you want the actual update to be performed. When a new software update is found on the server, the sensor will wait to apply the software update until the time of day that you have specified.

To use the automatic update mechanism available via IDM, you need to perform the following steps:

Step 1.	Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
Step 2.	Click on the Configuration icon to display the list of configuration tasks.
Step 3.	Click on Auto Update to access the Auto Update configuration screen (see Figure 11-3). Figure 11-3. Auto Update Configuration Screen
Step 4.	Click on the Enable Auto Update check box to enable the automatic update feature.
Step 5.	Enter the IP address of the server where the updates can be retrieved.
Step 6.	Enter the directory where the updates will be located.
Step 7.	Specify the username and password to be used to access the server and retrieve the updates.
Step 8.	Confirm the password entry by re-entering the password in the Confirm Password field.
Step 9.	Choose the retrieval method by using the File Copy Protocol pull-down menu (you can choose either FTP or SCP as the value).
Step 10.	Choose to check for new updates either hourly or on a specific day of the week by selecting either the Hourly or the Daily radio button.
Step 11.	If you choose Hourly, specify the start time and the frequency (number of hours between checks). You can specify a number between 1 and 8670 for the frequency.
Step 12.	If you choose Daily, specify the start time and the day of the week on which you want to check for new software updates.
Step 13.	Click on Apply to save the changes to the sensor's configuration.

Downgrading an Image

In some situations, you may need to return to a previous sensor software version. This capability enables you to test a new software release on your sensor but provides protection in that you can always revert to your previous sensor software version if you have any problems. The downgrade sensor CLI command provides this functionality. The syntax for this command is as follows:

downgrade

When you run the downgrade command, you remove the software installed by the most recent use of the upgrade command. Using the downgrade command, you can restore only the sensor software image that the sensor was running before the last upgrade. The sensor software has no visibility past the previous image running on the sensor, so you cannot run the downgrade command multiple times to return to images prior to the previous image that was running on the sensor.

Note

You can determine which software the downgrade command will remove by running the show version command on the sensor's CLI and examining the Upgrade History section.

Updating the Sensor's License

Your Cisco IPS version 5.0 sensor software will function without a valid license key. To install software updates, however, you will need to configure your sensor with a valid license key. You can configure you sensor with a license key from the Cisco.com licensing server, or you can specify a license file on your local system.

Note

When requesting a license key from Cisco.com (http://www.cisco.com/go/license), you will need to provide the serial number for the sensor. You can obtain the serial number by using the show version sensor CLI command. The serial number is also displayed on the IDM Licensing configuration screen.

To update your sensor license by using IDM, perform the following steps:

Step 1.	Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
Step 2.	Click on the Configuration icon to display the list of configuration tasks.
Step 3.	Click on Licensing to access the IDM Licensing configuration screen (see Figure 11-4). This screen displays the license currently in use. Figure 11-4. IDM Licensing Configuration Screen
Step 4.	Select the location to retrieve the license from by selecting the radio button next to either Cisco Connection Online or License File.
Step 5.	If you selected License File, you need to also specify the name of the license file by typing it in or clicking on the Browse Local button to use a file browser to specify the license file.
Step 6.	Click on Update License to update the license file that the sensor is using.

Image Recovery

If your sensor's software becomes corrupted, you will need to re-image your sensor to restore its software to the correct operational condition. When you re-image a sensor, all accounts are removed and the default Cisco account is reset to the default password (cisco). You must also initialize the sensor again by running the setup command.

Note

Before re-imaging your sensor, you should back up the current configuration. You can use the CLI command copy current-config destination-URL.

When using the recover application-partition CLI command, you replace all the applications on your sensor with copies of these programs stored on the recovery partition. After using the recover application-partition command, all of your configuration information on the sensor is removed except for the network parameters, such as the IP address.

Note

Signature updates and service packs are not automatically applied to the recovery partition. Therefore, you need to keep your recovery partition updated with signatures and service packs. Otherwise, you will need to use the upgrade command (after using the recover command) to reapply the signature updates and service packs. You can update the recovery partition by using the upgrade command with an image specifically created for the recovery partition. These images contain an r in their name, as in IPS-K9-r-1.1-a-5.0-0.30.pkg.

Restoring Default Sensor Configuration

Sometimes you may want to remove all of the changes that you have performed to a sensor's configuration. This option is helpful if you want to reconfigure a sensor and guarantee that you are starting at the initial default settings. You may do this when you are initially deploying sensors on your network and run into a problem with the configuration or when you are moving a sensor from one location in the network to another and want to reconfigure the sensor from its default configuration.

Restoring Default Configuration Using the CLI

To return a sensor to all of the default settings, you use the default service command. This command allows you to selectively reset portions of the sensor configuration to their default settings by specifying one of the service keywords shown in Table 11-2.

Note

The service keywords correspond to the same keywords you use when configuring the sensor with the service command whose syntax is as follows:

service service-keyword

Restoring Default Configuration Using IDM

When using IDM to restore the default sensor configuration, you do not have the option of selectively clearing portions of the sensor's configuration. Instead, all of the default parameters for the sensor's configuration are restored. Restoring the default sensor configuration by using IDM involves the following steps:

Step 1.	Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
Step 2.	Click on the Configuration icon to display the list of configuration tasks.
Step 3.	Click on Restore Defaults to access the Restore Defaults configuration screen (see Figure 11-5). Figure 11-5. Restore Defaults Configuration Screen
Step 4.	Click on Restore Defaults to restore the sensor's default configuration.
Step 5.	Click on OK to confirm the restoration of the sensor's default settings.

Resetting and Powering Down the Sensor

When operating your Cisco IPS, you will occasionally need to either reset or power down your Cisco IPS devices. You can perform both of these operations at the sensor CLI and through the IDM graphical interface.

Resetting the Sensor Using the Sensor CLI

From the sensor CLI, you can reset or power down the sensor by using the reset command. The syntax for the reset command is as follows:

reset [powerdown]

Using the reset command without any command line options causes the sensor to reboot. Before rebooting the sensor, however, you must confirm the operation by entering yes in response to the following prompt:

Ids4240# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: 

Adding the powerdown option causes the reset command to shut down the sensor instead of rebooting the sensor.

Note

To execute the reset command, your account must be assigned the Administrator role.

Resetting the Sensor Using IDM

From the IDM graphical interface, you can also reset or power down the sensor. To reset the sensor from IDM, perform the following steps:

Step 1.	Access IDM by entering the following URL in your web browser: https://sensor_ip_address.
Step 2.	Click on the Configuration icon to display the list of configuration tasks.
Step 3.	Click on Reboot Sensor to access the Reboot Sensor configuration screen (see Figure 11-6). Figure 11-6. Reboot Sensor Configuration Screen
Step 4.	Click on Reboot Sensor to reboot the sensor.
Step 5.	Click on OK on the Reboot Sensor confirmation popup window (see Figure 11-7). Figure 11-7. Reboot Sensor Confirmation Popup Window

Note

The process for shutting down the sensor is similar to the process for rebooting the sensor, except that you click on Shutdown Sensor instead of Reboot Sensor.