NM-CIDS OverviewNM-CIDS for access routers is a full-featured IPS sensor that provides the ability to inspect all traffic traversing a router. Figure 14-1 shows an NM-CIDS. It is factory-loaded with the latest Cisco IPS sensor software and is at feature and function parity (with the except of inline mode) with the other implementations of Cisco IPS, such as the sensor appliance and the Intrusion Detection System Module 2 (IDSM-2); therefore, the NM-CIDS can be managed and monitored with the same applications as the other Cisco IPS sensor devices. Figure 14-1. NM-CIDS
This chapter focuses on the following aspects of the NM-CIDS:
NM-CIDS Key FeaturesThe NM-CIDS can monitor traffic from all interfaces on the router, including inside and outside interfaces. Through collaboration with the Cisco IOS software, NM-CIDS can monitor IP Security (IPSec) Virtual Private Network (VPN) and generic routing encapsulation (GRE) traffic in decrypted form when these tunnels terminate on the router, providing inspection at the first point of entry into the network. This capability is an industry first. Note The NM-CIDS can monitor traffic from all the interfaces on the router except for the console and auxiliary ports because these are not regular network interfaces. The NM-CIDS fits into a single network module slot on the Cisco 2600XM Series 2691, 3660, 3725, and 3745 routers. Only one NM-CIDS is supported in a given router, but it is not restricted to a specific network module slot within the router. By integrating IPS and branch-office routing, the NM-CIDS reduces the complexity of securing WAN links while offering reduced operating costs. The NM-CIDS also simplifies power management by using the power options on the router. The NM-CIDS uses a separate processor and memory to maximize performance. This design frees the router CPU from any processor-intensive IPS tasks. NM-CIDS SpecificationsBesides understanding the key features of the NM-CIDS, you must also understand its specifications (such as bandwidth capacity) so that you can effectively use this device in your overall Cisco IPS solution. The specifications for the NM-CIDS are as follows:
Note To use NM-CIDS on 2691 and 3700 Series routers, your ROM version must be 12.2(8r)T2 or later. NM-CIDS Front PanelAlthough NM-CIDS is a line card that you insert into your router, it does have some indicators on its front panel that indicate its current operational status. (See Figure 14-2.) The external Fast Ethernet interface for command and control is also located on the front panel of NM-CIDS. The status LEDs available on the front panel of NM-CIDS are as follows:
Figure 14-2. NM-CIDS Front PanelTraditional Appliance Sensor Network ArchitectureBefore the introduction of NM-CIDS, the traditional network architecture for a branch office includes two devices, the router and a dedicated Cisco IPS sensor. (See Figure 14-3.) This solution typically consists of a Cisco 26xx, 36xx, or 37xx branch-office router connected to a sensor. The Cisco IPS sensor portfolio for the branch office consists of the Cisco IPS 4210 and 4215 and the 4235 platforms. Each sensor functions as an external appliance that typically has two Fast Ethernet interfaces: one for packet monitoring and the other for command and control. Figure 14-3. Traditional Appliance Sensor Network Architecture
Little to no configuration is required on the branch router, and the branch router's CPU is affected only to the extent that it processes WAN traffic to the correct LAN interface. This process should not tax the router, so the CPU utilization should remain low. The Cisco IPS sensors run their own Cisco IPS software. The router's Cisco IOS software is not affected when a signature file needs to be updated. Since the router is not actively participating in the IPS inspection, the level of performance that can be inspected within a network increases dramatically. For example, the IPS 4215 can inspect up to 80 Mbps, and the IPS 4235 can inspect up to 250 Mbps. There are some disadvantages to using this two-box solution. The Cisco IPS appliance solution is a two-box solution that affects the real estate needs within your branch office and adds complexity to your network management solution, as compared to a one-box solution. NM-CIDS Network ArchitectureThe scenario illustrated in Figure 14-4 is similar to that of the appliance sensor network architecture; however, in this scenario the network architecture includes the NM-CIDS. The NM-CIDS integrates the functionality of the Cisco IPS sensor into the branch router. The NM-CIDS is physically installed in a network module slot inside a Cisco 2600XM, 2691, 3660, 3725, or 3745 router. This provides a one-box IPS solution and the ability to monitor all the router's interfaces. Figure 14-4. NM-CIDS Network Architecture
The NM-CIDS is directly connected to the router's backplane via an internal Fast Ethernet interface onboard the NM-CIDS. This internal interface serves as a monitoring port for traffic. Traffic entering the branch office from the WAN interface no longer needs to be ported to the LAN interface as is required for the sensor appliance solution; rather, the data is copied across the backplane to the internal Fast Ethernet monitoring port of the NM-CIDS. As with Cisco IOS-IDS, WAN interface traffic can be inspected without having to be routed to a LAN interface. However, the NM-CIDS has an advantage over the Cisco IOS-IDS solution because it runs the same Cisco IPS sensor software as the appliance sensor. This feature allows support for a greater number of signatures and ease of signature update. The disadvantage to this solution is that it impacts the performance of the router. Although the actual packet inspection function is offloaded to the NM-CIDS module, the router must copy packets to the module, which places an additional load on the router's processor. NM-CIDS Hardware ArchitectureThe NM-CIDS provides interface-level packet monitoring capability. You can select one or more router interfaces or subinterfaces for IPS monitoring. The following are the hardware components of the router and NM-CIDS that enable this functionality (see Figure 14-5):
Figure 14-5. NM-CIDS Hardware Architecture
NM-CIDS Internal Fast Ethernet InterfaceThe NM-CIDS internal Fast Ethernet interface connects to the internal protocol control information (PCI) bus on the router's backplane to provide monitoring capability. This internal Fast Ethernet interface provides a 100-Mbps full-duplex interface between the router and the NM-CIDS. The router sends a copy of each packet to be inspected from its PCI bus to this internal Fast Ethernet interface. The packets are passed through the internal monitoring interface for classification and processing. The router-side interface for the internal Ethernet segment is known as interface ids sensor in the Cisco IOS software. This interface is the only interface associated with the IPS that is visible in the output of the show interfaces sensing command. The router-side internal interface is connected to the router PCI backplane. NM-CIDS External Fast Ethernet InterfaceThe NM-CIDS external Fast Ethernet interface is used as the command and control port. This interface can be connected to a switch, to a hub, or directly to a workstation that has IPS management software. Internal Universal Asynchronous Receiver/Transmitter InterfaceThe Internal Universal Asynchronous Receiver/Transmitter (UART) provides a virtual console access to the NM-CIDS from the backplane of the router. The NM-CIDS differs from a standalone IPS appliance in that it does not have an external console port. The internal UART interface is used to provide the console access. Console access to the NM-CIDS is enabled when you issue a service- module ids-sensor slot/0 session command from the Cisco IOS command line interface (CLI). NM-CIDS Disk, Flash, and MemoryThe NM-CIDS has its own disk, Flash, and memory and does not share those of the router. This minimizes the impact that the operation of NM-CIDS has on the router. Traffic Capture for NM-CIDSThe forwarding of packets to the NM-CIDS is implemented in the Cisco Express Forwarding (CEF) switching path of Cisco IOS software. CEF is advanced Layer 3 IP switching technology supported in Cisco IOS Software Releases 12.0 and later. CEF mode must be enabled at the router CLI in order for the router to forward packets to the NM-CIDS. Several Cisco IOS forwarding features and services are implemented within the CEF architecture. Based on which feature or service is configured, these features are processed in a sequence. The content of packets may be altered after processing certain features, and altered packets can impact the monitoring done by the NM-CIDS. Cisco IOS FeaturesThe contents of a packet may be altered after processing certain Cisco IOS forwarding features such as Network Address Translation (NAT). The following is a list of the features whose processing can impact the operations of the NM-CIDS:
Access Control Lists and NM-CIDSThe Cisco IOS-IDS implementation checks for certain signatures before an input ACL filters the packet. The purpose is to look for any possible attacks that were destined for the network before they were dropped by the router. Such an approach is difficult to implement with the NM-CIDS. The router sends a copy of the packet to the NM-CIDS, and it is desirable to send only one copy of the packet. If the packet is forwarded to the NM-CIDS even before it is dropped, the router has to send another copy of the packet after the packet is decrypted (if encryption is enabled) or when the IP address is changed because of NAT. To avoid sending multiple copies of packets to the NM-CIDS, the router does not forward any packet that should be dropped according to an input ACL. However, the Cisco IOS software performs an output-ACL check after the packet is forwarded to the NM-CIDS, so the packet is forwarded to the NM-CIDS even if the output ACL drops the packet. Encryption and NM-CIDSIf an IPSec tunnel is terminated at the router, the router decrypts incoming packets before passing them to the NM-CIDS. It encrypts outgoing packets after copying them to the NM-CIDS. Therefore, the NM-CIDS can fully analyze those packets. However, if encrypted traffic is merely passed through the router, the router does not decrypt it but passes the packets to the NM-CIDS in the encrypted state. The NM-CIDS cannot analyze those encrypted packets. Inside NAT and NM-CIDSNetwork Address Translation (NAT) is a common router feature that can be configured to change the source or destination address of a packet. The IPS signature engines maintain the TCP session states for all TCP sessions they monitor. The engines need to analyze packets in both directions in order to adequately analyze TCP sessions. The source and destination IP addresses of the bidirectional packets must be consistent. NAT can impact the ability of the sensor to determine a true source or destination address. In Figure 14-6, Interfaces A and B are configured on the router. Interface A is on the inside of the NAT domain, whereas B is on the outside. The packet entering Interface A has a source address of 10.1.1.10 and a destination address of 100.20.10.10. The router processes the packet and sends it to the outbound interface, changing the source address of the outbound packet to 150.1.1.10. The outside domain sees this address as the IP address of the host inside the NAT domain. Figure 14-6. Inside NAT and NM-CIDSWhen the return packet arrives on Interface B, the source IP address is 100.20.10.10, whereas the destination IP address is 150.1.1.10. The router translates the destination address to 10.1.1.10 and sends the packet out Interface A. If a 10.1.1.10 address is recorded by the NM-CIDS as the source address for packets moving from Interface A to Interface B, but a 150.1.1.10 address is recorded as the destination in the return packet moving from Interface B to Interface A, the NM-CIDS is unable to maintain a consistent session state. In order for a session state to be accurately maintained, either the 10.1.1.10 address or the 150.1.1.10 address must be recorded. The outside, or global, IP addresses are often dynamically assigned and shared. If outside IP addresses were sent to the NM-CIDS, it would be difficult to identify which of the hosts on the inside network was attacked. Therefore, the router sends only the inside IP addresses to the NM-CIDS. In the scenario in the figure, only the 10.0.1.12 address is sent. Outside NAT and NM-CIDSWith inside NAT, an inside local address is translated to an outside global address. Figure 14-7 shows the router's behavior in relation to the NM-CIDS when outside NAT, or outside-local to outside-global translation, is configured. The global address 10.1.1.10 is seen as 150.1.1.10 by the inside network. The inside address 100.20.10.10 is passed without translation by the router. The NM-CIDS analyzes the packet with the 150.1.1.10 address. When an attack is detected, the alarm contains information about the 150.1.1.10 address, and the attacker's actual address, 10.1.1.10, is not displayed. This means that the attack source may not be easily traced. Figure 14-7. Outside NAT ExampleIP Multicast, IP Broadcast, and UDP Flooding and NM-CIDSWhen the router receives IP multicast traffic, UDP traffic, or IP broadcast traffic, the packets received on an input interface are forwarded on one or more output interfaces. In this situation, if the input interface is configured for IPS monitoring, the packet is sent to the NM-CIDS. However, if only the output interfaces are configured for monitoring, the packet is not forwarded to the NM-CIDS. GRE Tunnels and NM-CIDSThe NM-CIDS does not analyze GRE-encapsulated packets. If a GRE packet is received and the incoming interface is enabled for IPS monitoring, the packet is not forwarded to the NM-CIDS for monitoring. However, if the router encapsulates a packet in a GRE tunnel and the incoming interface is enabled for IPS monitoring, the packet is sent to the NM-CIDS before encapsulation. Packets Not Forwarded to NM-CIDSThere are other cases in which the packet is not inspected by the NM-CIDS. For example, Address Resolution Protocol (ARP) packets are not forwarded to the NM-CIDS. Therefore, ARP-based signatures are missed by the NM-CIDS. In addition, Cisco IOS software examines the IP header of all packets and drops any packet that contains an error, such as an irregularity in a field. Possible irregularities include the following:
NM-CIDS Installation and Configuration TasksThe configuration tasks for the NM-CIDS are similar to those of the IPS sensor appliance, with the following exceptions:
Installing and configuring the NM-CIDS involves the following tasks:
After completing your configuration, you should verify that the NM-CIDS is analyzing traffic, and you should back up the configuration when it is functioning properly. Installing the NM-CIDSInstalling the NM-CIDS into your router involves performing the following tasks:
Inserting the NM-CIDS into a RouterWhen installing the NM-CIDS into your router, you need to follow a few guidelines. First, you need to power down your router if it is a 2600XM Series router or a 2691 router. This step is not necessary if you are installing the NM-CIDS into a 3660, 3725, or 3745 router since each of these allows online insertion and removal (OIR) of network cards (hot swapping the network module into the router's chassis). You can install only one NM-CIDS into a router. Furthermore, you cannot operate Cisco IOS-IDS and NM-CIDS on the same router since the combination will adversely impact the performance of the router. Connecting the NM-CIDS to the NetworkTo connect the NM-CIDS to the network, use a straight-through two-pair Category 5 unshielded twisted-pair (UTP) cable. Connect the RJ-45 port to the NM-CIDS Fast Ethernet 0 port, which is the command and control interface (the only external interface available). Connect the other end to a switch, hub, repeater, server, or other network device. Verifying That the Router Recognizes the NM-CIDSMake sure the router recognizes the NM-CIDS by using the show running-config command at the router console prompt. If the router recognizes the NM-CIDS, you should see the following line in the command output: interface IDS-sensor1/0 You can also use the show version command for the same purpose. If the router recognizes the NM-CIDS, the show version output contains the following line: 1 cisco ids sensor(s),ids monitoring on slot 1 If the router does not recognize the presence of the NM-CIDS, verify that you are using the correct Cisco IOS version 12.2(15)ZJ or later and that the NM-CIDS is firmly seated in the router. Verifying That Cisco IOS-IDS is Not RunningRunning Cisco IOS-IDS while the NM-CIDS is present is not recommended because doing so significantly reduces router performance. The easiest way to determine whether Cisco IOS-IDS is enabled is to use the show ip audit interface command. If Cisco IOS-IDS is not running, the output of this command should be blank. Configuring the Internal ids-sensor InterfaceThe router-side internal Fast Ethernet interface is known as interface ids-sensor. It can be seen in the Cisco IOS show interface and show controller command output. An IP address must be assigned to this interface in order to obtain console access to the NM-CIDS. However, if this IP address is advertised via routing updates, the monitoring interface itself can become vulnerable to attacks. Therefore, it is highly recommended that you assign a loopback address to this interface (since the loopback address is not advertised). To assign a loopback address to this interface, complete the following tasks:
Verifying the NM-CIDS Slot NumberUse the show interfaces ids-sensor command to confirm the NM-CIDS slot number in your router. Cisco IOS software gives the NM-CIDS the name "ids-sensor." Assuming that you put your NM- CIDS into slot 1, the appropriate show interfaces command output is as displayed in Example 14-1. Example 14-1. Viewing NM-CIDS Interface Information Using the show interfaces Commandrouter# show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090) Interface is unnumbered. Using address of Loopback0 (1.2.3.4) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:17, output 00:00:00, output hang never Note The port number for the show interfaces command is always 0 since there is only one port on the NM-CIDS. To display the contents of the currently running configuration file or the configuration for a specific interface, use the show running-config command in Privileged Exec mode, as displayed in Example 14-2. The show running-config command without any arguments or keywords displays the entire contents of the running configuration file. Example 14-2. Viewing NM-CIDS Interface Information Using the show running-config Commandrouter# show running-config !*** Configuration content abbreviated for clarity *** interface FastEthernet0/1 ip address 172.30.2.2 255.255.255.0 duplex auto speed auto ! interface IDS-Sensor1/0 ip unnumbered Loopback0 hold-queue 60 out Enabling CEFUse the ip cef command to enable the CEF switching path. This must be done in order for the router to forward packets to the NM-CIDS. Configuring the InterfaceThe session command used to access the NM-CIDS console starts a reverse Telnet connection using the IP address of the ids-sensor interface. The ids-sensor interface is between the NM-CIDS and the router. You must assign an IP address to the ids-sensor interface before invoking the session command. However, assigning a routable IP address can make the ids-sensor interface itself vulnerable to attacks. To counter that vulnerability, you can assign a loopback IP address to the ids-sensor interface. Note Usually, when using Telnet, you connect the client system to the server system. With reverse Telnet, the connection is reversed in that the server initiates the connection to the client when you invoke the session command to a specific port on the router. Configuring a loopback interface for the ids-sensor interface involves choosing a loopback number and assigning an IP address to that loopback number. Example 14-3 assigns loopback 0 to the IP address 10.1.1.1. Example 14-3. Assigning an IP Address to the Loopback InterfaceRouter# conf t Router(config)# interface loopback 0 Router(config-if)# ip address 10.1.1.1 255.255.255.255 After you create the loopback interface and assign an IP address to it, you must map the loopback interface to the ids-sensor interface. Example 14-4 maps the loopback interface to the ids-sensor interface in slot 1. Example 14-4. Assigning a Loopback Interface to the ids-sensor InterfaceRouter# conf t Router(config)# interface ids-sensor 1/0 Router(config-if)# ip unnumbered loopback 0 Router(config-if)# no shutdown Router(config-if)# end Router# write memory After completing the configuration of the ids-sensor interface, execute the show interfaces ids-sensor command to view the configuration. The output should be similar to that in Example 14-5. Example 14-5. Verifying a Loopback Address Using the show interfaces CommandRouter# show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090) Interface is unnumbered. Using address of Loopback0 (10.1.1.1) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:17, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/60 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 3042 packets input, 185400 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 63975 packets output, 6750422 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Assigning the Clock SettingsThe NM-CIDS clock cannot be set directly. It must use the router's clock or an NTP server as a reference clock. By default, the NM-CIDS automatically synchronizes its clock with the router time. If you use the default setting, Greenwich Mean Time (GMT) is synchronized between the router and the NM-CIDS. The time zone and summer time settings are not synchronized between the router and the NM-CIDS. Therefore, be sure to set the time zone and summer time settings on both the router and the NM-CIDS to ensure that the GMT time settings are correct. It is recommended that you use an NTP time synchronization source. NTP uses an authoritative time source to set the time on your NM-CIDS. The following are clock recommendations, listed in order from the best choice to the worst choice:
Note The NM-CIDS alarm time stamps indicate both UTC and local time. Using the Router Time SourceWhen using Cisco IOS clock mode, accurate NM-CIDS time depends on the following:
When you use the router's clock, several factors impact the time values that your NM-CIDS uses to time-stamp events. Understanding the factors is crucial to effectively using the router's time for NM-CIDS. Coordinated Universal Time (UTC) sent to the NM-CIDS is calculated by the router based on its local time, time zone, and summer time settings. If the router's time zone settings are incorrect, the UTC time sent to the NM-CIDS will also be incorrect. Therefore, you should configure the router clock to UTC to minimize configuration mistakes. Whenever the router is rebooted, the router's clock setting is also reset. This can cause inconsistency in time stamps if the clock is not set correctly after each reboot. Note Transport Layer Security (TLS) certificates expire based on current time. If the router time is accidentally set to a time before the certificates were issued or a time after they expire, those certificates will not work. Using an NTP Time SourceWhen you are using NTP mode, accurate NM-CIDS time depends on the following:
Configuring NM-CIDS Clock ModeTo configure NTP mode, first specify the NTP server's IP address by using the ntp server command. The syntax for the ntp server command is as follows: ntp server ip-address [version-number] [key keyid] [source-interface] [prefer] Table 14-2 explains the parameters for the ntp server command.
To complete the task of configuring your NM-CIDS to use NTP, define an authentication key for NTP by using the ntp authentication-key command. The authentication key consists of a key ID, which is a unique numeric identifier, and a key value, which is the authentication key. When this command is written to nonvolatile RAM (NVRAM), the key is encrypted so that it is not displayed when the configuration is viewed. The syntax for the ntp authentication-key command is as follows: ntp authentication-key number md5 value Table 14-3 explains the parameters for the ntp authentication-key command.
Setting Up Packet MonitoringTo configure packet monitoring, enter configuration mode for the interface you want the NM-CIDS to monitor. Then use the ids-service-module monitoring command to specify that all packets sent and received on this interface are sent to the NM-CIDS for inspection. Note You must configure each interface and subinterface that you want the NM-CIDS to monitor. Suppose that you want to monitor traffic on FastEthernet 1/0 with NM-CIDS. To set up packet monitoring on this interface, perform the configuration commands in Example 14-6. Example 14-6. Setting Up Packet Monitoring on FastEthernet 1/0Router# configure terminal Router(config)# interface FastEthernet1/0 Router(config-if)# ids-service-module monitoring Router(config-if)# end Router# write memory Logging In to NM-CIDS ConsoleUnlike the IPS appliances, the NM-CIDS does not have its own console port. Internal UARTs provide console access to the NM-CIDS through the Cisco IOS software. The Cisco IOS software performs a reverse Telnet that enables you to access the NM-CIDS console. The reverse Telnet to the NM-CIDS console can be invoked indirectly by the service-module command or directly by using Telnet. Accessing NM-CIDS via a SessionYou can access NM-CIDS by using the service-module command. The syntax for this command is as follows: service-module ids-sensor slot-number/port-number session For instance, to session in to the NM-CIDS located in slot 1 on your router, you would use the following command: Router# service-module ids-sensor 1/0 session Accessing NM-CIDS via TelnetAnother method to access the NM-CIDS console is by using direct Telnet. You can open a Telnet session by using the IP address of any interface on the router and a special port number. This actually opens a connection to the console via the internal UART, just like the session command from the router console. The formula for calculating the port number is (32 * slot number) + 2001. For example, the port number for slot 1 would be 2033, and the port number for slot 2 would be 2065. Note For Telnet access to work, you must also configure the vty port to support Telnet. For information on configuring VTY ports, refer to the Cisco IOS documentation. NM-CIDS LoginLike the sensor appliances, the NM-CIDS is configured with a default Administrator account with a username and password of "cisco." You can use this account to initially log in to the NM-CIDS. However, the default "cisco" password is temporary and expires upon initial login. When prompted, you must change the password for this default account to a string that is not a dictionary word and is at least eight alphanumeric characters long. Special characters are not supported. After logging in, you are presented with the privileged EXEC sensor prompt. You can then perform the initial NM-CIDS configuration as you would for any other sensor by using the setup command. Performing Initial Sensor ConfigurationAfter accessing the NM-CIDS CLI, you can perform the initial sensor configuration as you would for any other appliance sensor. This includes running the setup command. Chapter 2, "IPS Command-Line Interface," provides more information on the initial sensor configuration tasks. NM-CIDS Maintenance TasksBesides the normal maintenance operations available to a sensor, with the NM-CIDS, you can perform some maintenance operations from the router CLI. The service-module ids-sensor command enables you to perform the following tasks from the router CLI:
The syntax for the service-module ids-sensor command is as follows: service-module ids-sensor slot number/port number {reload | reset | session | shutdown |status} Reloading the NM-CIDSTo reload the NM-CIDS from the router CLI, use the reload keyword for the service-module ids-sensor command. This command initiates a software reboot on the NM-CIDS that stops and then reloads the IPS sensor software. Example 14-7 illustrates reloading the NM-CIDS located in slot 1. Example 14-7. Reloading the NM-CIDSRouter# service-module ids-sensor 1/0 reload Do you want to proceed with the reload? [confirm] y Trying to reload Service Module IDS-Sensor1/0 Resetting the NM-CIDSTo reset the NM-CIDS from the router CLI, you use the reset keyword for the service-module ids-sensor command. This command initiates a hardware reboot of the NM-CIDS. Example 14-8 illustrates resetting the NM-CIDS located in slot 1. Example 14-8. Resetting the NM-CIDSRouter# service-module ids-sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset? [confirm] y Warning You should reset an NM-CIDS only to recover from a failed state. Resetting an operational NM-CIDS should be a last resort since it may cause you to lose all the data on the NM-CIDS hard disk. Note After you shut down the NM-CIDS, you will need to reset the NM-CIDS (or reboot the router) to return the NM-CIDS to operational status if you do not remove the module from the router. Shutting Down the NM-CIDSTo shut down the NM-CIDS from the router CLI, use the shutdown keyword for the service-module ids-sensor command. This command gracefully halts the Linux operating system on the NM-CIDS. You typically use this command before removing the NM-CIDS from the router to avoid potentially corrupting the data on the NM-CIDS hard disk. Example 14-9 illustrates shutting down the NM-CIDS located in slot 1. Example 14-9. Shutting Down the NM-CIDSRouter# service-module ids-sensor 1/0 shutdown Do you want to proceed with the reload? [confirm] y Use service module reset command to recover from shutdown Router# Dec 12 18:30:13.715: %SERVICEMODULE-5-SHUTDOWN2: Service module IDS-Sensor1/0 shutdown complete Note After removing the NM-CIDS, you should install a blank panel to cover the open slot if you do not reinsert a NM-CIDS or other router module. Viewing the NM-CIDS StatusTo view the status of the NM-CIDS from the router CLI, you use the status keyword for the service-module ids-sensor command. This command displays the status of the NM-CIDS software. If the NM-CIDS is operational, the following line is displayed in the output: Service Module is in Steady state Example 14-10 illustrates viewing the status of the NM-CIDS located in slot 1. Example 14-10. Viewing NM-CIDS Status Using the service-module CommandRouter# service-module ids-sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait... Cisco Systems Intrusion Detection System Network Module Software version: 4.1(1)S47 Model:NM-CIDS Memory:254676 KB sensor# Recovering the NM-CIDS Software ImageIn the following situations, you might need to recover the NM-CIDS software image:
After you finish the recovery procedure, all NM-CIDS configuration settings are reset to the defaults. You must either use a backed-up configuration to restore your custom settings or re-enter them manually. To recover the NM-CIDS software image, you need the following:
Note A helper image is an image used only for installing the application image. It is stored on a network TFTP server and downloaded by the NM-CIDS each time the helper image is booted. Image recovery involves the following tasks:
Configuring the Boot LoaderTo configure the boot loader, you must first download the helper file from Cisco.com to a TFTP server on your network and copy the helper image to the /tftpboot directory on your TFTP server. Then access the boot loader prompt. The following steps show how to access the boot loader prompt for an NM-CIDS in slot 1:
Booting the Helper ImageTo boot the helper image, enter boot helper at the ServicesEngine boot-loader> prompt as shown in the following command line: ServicesEngine boot-loader> boot helper The boot loader brings up the external interface and locates the TFTP server host. When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. When the load completes, a message indicates that the helper is valid, and the helper utility is launched, as shown in the output in Example 14-11. Example 14-11. Boot Helper Menu OptionsImage signature verified successfully. Cisco Systems, Inc. Services engine helper utility for NM-CIDS Version 1.0(1) [200305011547] -- -- - Main menu 1 - Download application image and write to HDD 2 - Download bootloader and write to flash 3 - Display software version on HDD 4 - Display total RAM size 5 - Change file transfer method (currently secure shell) r - Exit and reset Services Engine h - Exit and shutdown Services Engine Selection [12345rh]: Selecting the File Transfer MethodFrom the helper image, you select 5 to choose the file transfer method to be used for downloading the application image. This controls the protocol used for downloading application and boot-loader image files only. The boot loader always uses TFTP when downloading the helper image. The command sequence in Example 14-12 selects Secure Shell (SSH) to retrieve the image files. Example 14-12. Selecting SSH for Boot Helper File TransferSelection [12345rh]: 5 Change file transfer method menu The current file transfer method is secure shell. 1 - Change to secure shell 2 - Change to tftp r - return to main menu 1 Installing the Application ImageTo begin re-imaging the hard disk, enter 1 at the Selection [12345rh]: prompt. Then you need to complete the following steps:
If the restore is successful, you receive the message in Example 14-13 and are then returned to the main menu with the Selection [12345rh]: prompt. Example 14-13. Boot Helper Successful Restore MessageDisk restore was successful The operation was successful Booting the Application ImageAfter downloading and installing the application image, reboot the NM-CIDS by entering r at the Selection [12345rh]: prompt, as shown in the command output in Example 14-14. Example 14-14. Rebooting the NM-CIDS by Using the Boot HelperSelection [12345rh]: r About to exit and reset Services Engine Are you sure? [y/n] y After the reboot, you must initialize your NM-CIDS by logging in to the NM-CIDS and running the setup command. After running setup, you will also need to restore the NM-CIDS original configuration or reconfigure it manually. Configuring the IPS ApplicationThe same software revision upgrades, service packs, and signature updates that you use for any Cisco IPS sensor also apply to the NM-CIDS. After installing the application image, you need to use the upgrade CLI command to restore the NM-CIDS software to the correct service pack level and signature release. The upgrade process is the same as for other Cisco IPS sensors. |