Foundation and Supplemental Topics

NM-CIDS Overview

NM-CIDS for access routers is a full-featured IPS sensor that provides the ability to inspect all traffic traversing a router. Figure 14-1 shows an NM-CIDS. It is factory-loaded with the latest Cisco IPS sensor software and is at feature and function parity (with the except of inline mode) with the other implementations of Cisco IPS, such as the sensor appliance and the Intrusion Detection System Module 2 (IDSM-2); therefore, the NM-CIDS can be managed and monitored with the same applications as the other Cisco IPS sensor devices.

This chapter focuses on the following aspects of the NM-CIDS:

• Key features

• Specifications

• Configuration

• Image recovery

NM-CIDS Key Features

The NM-CIDS can monitor traffic from all interfaces on the router, including inside and outside interfaces. Through collaboration with the Cisco IOS software, NM-CIDS can monitor IP Security (IPSec) Virtual Private Network (VPN) and generic routing encapsulation (GRE) traffic in decrypted form when these tunnels terminate on the router, providing inspection at the first point of entry into the network. This capability is an industry first.

Note

The NM-CIDS can monitor traffic from all the interfaces on the router except for the console and auxiliary ports because these are not regular network interfaces.

The NM-CIDS fits into a single network module slot on the Cisco 2600XM Series 2691, 3660, 3725, and 3745 routers. Only one NM-CIDS is supported in a given router, but it is not restricted to a specific network module slot within the router.

By integrating IPS and branch-office routing, the NM-CIDS reduces the complexity of securing WAN links while offering reduced operating costs. The NM-CIDS also simplifies power management by using the power options on the router.

The NM-CIDS uses a separate processor and memory to maximize performance. This design frees the router CPU from any processor-intensive IPS tasks.

NM-CIDS Specifications

Besides understanding the key features of the NM-CIDS, you must also understand its specifications (such as bandwidth capacity) so that you can effectively use this device in your overall Cisco IPS solution. The specifications for the NM-CIDS are as follows:

• Performance 45 Mbps

• Monitoring interface Internal 100 Mbps

• Command and control interface External 100 Mbps

• Supported routers Cisco 2600XM Series 2691, 3660, 3725, and 3745

• Cisco IOS software 12.2(15)ZJ or later

• IPS sensor software Cisco IPS version 4.1 or later

Note

To use NM-CIDS on 2691 and 3700 Series routers, your ROM version must be 12.2(8r)T2 or later.

NM-CIDS Front Panel

Although NM-CIDS is a line card that you insert into your router, it does have some indicators on its front panel that indicate its current operational status. (See Figure 14-2.) The external Fast Ethernet interface for command and control is also located on the front panel of NM-CIDS. The status LEDs available on the front panel of NM-CIDS are as follows:

• ACT Displays activity on the Fast Ethernet connection

• DISK Displays activity on the IPS hard-disk drive

• EN Indicates that the NM-CIDS has passed the self-test and is available to the router

• LINK Indicates that the Fast Ethernet connection is available to the NM-CIDS

• PWR Indicates that power is available to the NM-CIDS

Figure 14-2. NM-CIDS Front Panel

Traditional Appliance Sensor Network Architecture

Before the introduction of NM-CIDS, the traditional network architecture for a branch office includes two devices, the router and a dedicated Cisco IPS sensor. (See Figure 14-3.) This solution typically consists of a Cisco 26xx, 36xx, or 37xx branch-office router connected to a sensor. The Cisco IPS sensor portfolio for the branch office consists of the Cisco IPS 4210 and 4215 and the 4235 platforms. Each sensor functions as an external appliance that typically has two Fast Ethernet interfaces: one for packet monitoring and the other for command and control.

Little to no configuration is required on the branch router, and the branch router's CPU is affected only to the extent that it processes WAN traffic to the correct LAN interface. This process should not tax the router, so the CPU utilization should remain low.

The Cisco IPS sensors run their own Cisco IPS software. The router's Cisco IOS software is not affected when a signature file needs to be updated. Since the router is not actively participating in the IPS inspection, the level of performance that can be inspected within a network increases dramatically. For example, the IPS 4215 can inspect up to 80 Mbps, and the IPS 4235 can inspect up to 250 Mbps.

There are some disadvantages to using this two-box solution. The Cisco IPS appliance solution is a two-box solution that affects the real estate needs within your branch office and adds complexity to your network management solution, as compared to a one-box solution.

NM-CIDS Network Architecture

The scenario illustrated in Figure 14-4 is similar to that of the appliance sensor network architecture; however, in this scenario the network architecture includes the NM-CIDS. The NM-CIDS integrates the functionality of the Cisco IPS sensor into the branch router. The NM-CIDS is physically installed in a network module slot inside a Cisco 2600XM, 2691, 3660, 3725, or 3745 router. This provides a one-box IPS solution and the ability to monitor all the router's interfaces.

The NM-CIDS is directly connected to the router's backplane via an internal Fast Ethernet interface onboard the NM-CIDS. This internal interface serves as a monitoring port for traffic. Traffic entering the branch office from the WAN interface no longer needs to be ported to the LAN interface as is required for the sensor appliance solution; rather, the data is copied across the backplane to the internal Fast Ethernet monitoring port of the NM-CIDS.

As with Cisco IOS-IDS, WAN interface traffic can be inspected without having to be routed to a LAN interface. However, the NM-CIDS has an advantage over the Cisco IOS-IDS solution because it runs the same Cisco IPS sensor software as the appliance sensor. This feature allows support for a greater number of signatures and ease of signature update.

The disadvantage to this solution is that it impacts the performance of the router. Although the actual packet inspection function is offloaded to the NM-CIDS module, the router must copy packets to the module, which places an additional load on the router's processor.

NM-CIDS Hardware Architecture

The NM-CIDS provides interface-level packet monitoring capability. You can select one or more router interfaces or subinterfaces for IPS monitoring. The following are the hardware components of the router and NM-CIDS that enable this functionality (see Figure 14-5):

• NM-CIDS internal Fast Ethernet interface

• NM-CIDS external Fast Ethernet interface

• Internal Universal Asynchronous Receiver/Transmitter (UART) interface

• NM-CIDS disk, Flash, and memory

NM-CIDS Internal Fast Ethernet Interface

The NM-CIDS internal Fast Ethernet interface connects to the internal protocol control information (PCI) bus on the router's backplane to provide monitoring capability. This internal Fast Ethernet interface provides a 100-Mbps full-duplex interface between the router and the NM-CIDS. The router sends a copy of each packet to be inspected from its PCI bus to this internal Fast Ethernet interface. The packets are passed through the internal monitoring interface for classification and processing. The router-side interface for the internal Ethernet segment is known as interface ids sensor in the Cisco IOS software. This interface is the only interface associated with the IPS that is visible in the output of the show interfaces sensing command. The router-side internal interface is connected to the router PCI backplane.

NM-CIDS External Fast Ethernet Interface

The NM-CIDS external Fast Ethernet interface is used as the command and control port. This interface can be connected to a switch, to a hub, or directly to a workstation that has IPS management software.

Internal Universal Asynchronous Receiver/Transmitter Interface

The Internal Universal Asynchronous Receiver/Transmitter (UART) provides a virtual console access to the NM-CIDS from the backplane of the router. The NM-CIDS differs from a standalone IPS appliance in that it does not have an external console port. The internal UART interface is used to provide the console access. Console access to the NM-CIDS is enabled when you issue a service- module ids-sensor slot/0 session command from the Cisco IOS command line interface (CLI).

NM-CIDS Disk, Flash, and Memory

The NM-CIDS has its own disk, Flash, and memory and does not share those of the router. This minimizes the impact that the operation of NM-CIDS has on the router.

Traffic Capture for NM-CIDS

The forwarding of packets to the NM-CIDS is implemented in the Cisco Express Forwarding (CEF) switching path of Cisco IOS software. CEF is advanced Layer 3 IP switching technology supported in Cisco IOS Software Releases 12.0 and later. CEF mode must be enabled at the router CLI in order for the router to forward packets to the NM-CIDS. Several Cisco IOS forwarding features and services are implemented within the CEF architecture. Based on which feature or service is configured, these features are processed in a sequence. The content of packets may be altered after processing certain features, and altered packets can impact the monitoring done by the NM-CIDS.

Cisco IOS Features

The contents of a packet may be altered after processing certain Cisco IOS forwarding features such as Network Address Translation (NAT). The following is a list of the features whose processing can impact the operations of the NM-CIDS:

• Access Control Lists (ACLs)

• Encryption

• Network Address Translation (NAT)

• IP multicast

• UDP flooding

• IP broadcast

• GRE tunnels

Access Control Lists and NM-CIDS

The Cisco IOS-IDS implementation checks for certain signatures before an input ACL filters the packet. The purpose is to look for any possible attacks that were destined for the network before they were dropped by the router.

Such an approach is difficult to implement with the NM-CIDS. The router sends a copy of the packet to the NM-CIDS, and it is desirable to send only one copy of the packet. If the packet is forwarded to the NM-CIDS even before it is dropped, the router has to send another copy of the packet after the packet is decrypted (if encryption is enabled) or when the IP address is changed because of NAT. To avoid sending multiple copies of packets to the NM-CIDS, the router does not forward any packet that should be dropped according to an input ACL. However, the Cisco IOS software performs an output-ACL check after the packet is forwarded to the NM-CIDS, so the packet is forwarded to the NM-CIDS even if the output ACL drops the packet.

Encryption and NM-CIDS

If an IPSec tunnel is terminated at the router, the router decrypts incoming packets before passing them to the NM-CIDS. It encrypts outgoing packets after copying them to the NM-CIDS. Therefore, the NM-CIDS can fully analyze those packets. However, if encrypted traffic is merely passed through the router, the router does not decrypt it but passes the packets to the NM-CIDS in the encrypted state. The NM-CIDS cannot analyze those encrypted packets.

Inside NAT and NM-CIDS

Network Address Translation (NAT) is a common router feature that can be configured to change the source or destination address of a packet. The IPS signature engines maintain the TCP session states for all TCP sessions they monitor. The engines need to analyze packets in both directions in order to adequately analyze TCP sessions. The source and destination IP addresses of the bidirectional packets must be consistent. NAT can impact the ability of the sensor to determine a true source or destination address.

In Figure 14-6, Interfaces A and B are configured on the router. Interface A is on the inside of the NAT domain, whereas B is on the outside. The packet entering Interface A has a source address of 10.1.1.10 and a destination address of 100.20.10.10. The router processes the packet and sends it to the outbound interface, changing the source address of the outbound packet to 150.1.1.10. The outside domain sees this address as the IP address of the host inside the NAT domain.

Figure 14-6. Inside NAT and NM-CIDS

When the return packet arrives on Interface B, the source IP address is 100.20.10.10, whereas the destination IP address is 150.1.1.10. The router translates the destination address to 10.1.1.10 and sends the packet out Interface A.

If a 10.1.1.10 address is recorded by the NM-CIDS as the source address for packets moving from Interface A to Interface B, but a 150.1.1.10 address is recorded as the destination in the return packet moving from Interface B to Interface A, the NM-CIDS is unable to maintain a consistent session state. In order for a session state to be accurately maintained, either the 10.1.1.10 address or the 150.1.1.10 address must be recorded.

The outside, or global, IP addresses are often dynamically assigned and shared. If outside IP addresses were sent to the NM-CIDS, it would be difficult to identify which of the hosts on the inside network was attacked. Therefore, the router sends only the inside IP addresses to the NM-CIDS. In the scenario in the figure, only the 10.0.1.12 address is sent.

Outside NAT and NM-CIDS

With inside NAT, an inside local address is translated to an outside global address. Figure 14-7 shows the router's behavior in relation to the NM-CIDS when outside NAT, or outside-local to outside-global translation, is configured. The global address 10.1.1.10 is seen as 150.1.1.10 by the inside network. The inside address 100.20.10.10 is passed without translation by the router. The NM-CIDS analyzes the packet with the 150.1.1.10 address. When an attack is detected, the alarm contains information about the 150.1.1.10 address, and the attacker's actual address, 10.1.1.10, is not displayed. This means that the attack source may not be easily traced.

Figure 14-7. Outside NAT Example

IP Multicast, IP Broadcast, and UDP Flooding and NM-CIDS

When the router receives IP multicast traffic, UDP traffic, or IP broadcast traffic, the packets received on an input interface are forwarded on one or more output interfaces. In this situation, if the input interface is configured for IPS monitoring, the packet is sent to the NM-CIDS. However, if only the output interfaces are configured for monitoring, the packet is not forwarded to the NM-CIDS.

GRE Tunnels and NM-CIDS

The NM-CIDS does not analyze GRE-encapsulated packets. If a GRE packet is received and the incoming interface is enabled for IPS monitoring, the packet is not forwarded to the NM-CIDS for monitoring. However, if the router encapsulates a packet in a GRE tunnel and the incoming interface is enabled for IPS monitoring, the packet is sent to the NM-CIDS before encapsulation.

Packets Not Forwarded to NM-CIDS

There are other cases in which the packet is not inspected by the NM-CIDS. For example, Address Resolution Protocol (ARP) packets are not forwarded to the NM-CIDS. Therefore, ARP-based signatures are missed by the NM-CIDS. In addition, Cisco IOS software examines the IP header of all packets and drops any packet that contains an error, such as an irregularity in a field. Possible irregularities include the following:

• Bad IP version

• Incorrect IP option field

• Bad header length

• Total packet length greater than 8192 bytes or less than 20 bytes

• IP cyclic redundancy check (CRC) failure

• Time to Live (TTL) less than 1

NM-CIDS Installation and Configuration Tasks

The configuration tasks for the NM-CIDS are similar to those of the IPS sensor appliance, with the following exceptions:

• The initial configuration requires establishing a session from the router console.

• The NM-CIDS clock cannot be set directly. It must use the router's clock or a Network Time Protocol (NTP) server as a reference clock.

Installing and configuring the NM-CIDS involves the following tasks:

After completing your configuration, you should verify that the NM-CIDS is analyzing traffic, and you should back up the configuration when it is functioning properly.

Installing the NM-CIDS

Installing the NM-CIDS into your router involves performing the following tasks:

Inserting the NM-CIDS into a Router

When installing the NM-CIDS into your router, you need to follow a few guidelines. First, you need to power down your router if it is a 2600XM Series router or a 2691 router. This step is not necessary if you are installing the NM-CIDS into a 3660, 3725, or 3745 router since each of these allows online insertion and removal (OIR) of network cards (hot swapping the network module into the router's chassis).

You can install only one NM-CIDS into a router. Furthermore, you cannot operate Cisco IOS-IDS and NM-CIDS on the same router since the combination will adversely impact the performance of the router.

Connecting the NM-CIDS to the Network

To connect the NM-CIDS to the network, use a straight-through two-pair Category 5 unshielded twisted-pair (UTP) cable. Connect the RJ-45 port to the NM-CIDS Fast Ethernet 0 port, which is the command and control interface (the only external interface available). Connect the other end to a switch, hub, repeater, server, or other network device.

Verifying That the Router Recognizes the NM-CIDS

Make sure the router recognizes the NM-CIDS by using the show running-config command at the router console prompt. If the router recognizes the NM-CIDS, you should see the following line in the command output:

interface IDS-sensor1/0 

You can also use the show version command for the same purpose. If the router recognizes the NM-CIDS, the show version output contains the following line:

1 cisco ids sensor(s),ids monitoring on slot 1 

If the router does not recognize the presence of the NM-CIDS, verify that you are using the correct Cisco IOS version 12.2(15)ZJ or later and that the NM-CIDS is firmly seated in the router.

Verifying That Cisco IOS-IDS is Not Running

Running Cisco IOS-IDS while the NM-CIDS is present is not recommended because doing so significantly reduces router performance. The easiest way to determine whether Cisco IOS-IDS is enabled is to use the show ip audit interface command. If Cisco IOS-IDS is not running, the output of this command should be blank.

Configuring the Internal ids-sensor Interface

The router-side internal Fast Ethernet interface is known as interface ids-sensor. It can be seen in the Cisco IOS show interface and show controller command output. An IP address must be assigned to this interface in order to obtain console access to the NM-CIDS. However, if this IP address is advertised via routing updates, the monitoring interface itself can become vulnerable to attacks. Therefore, it is highly recommended that you assign a loopback address to this interface (since the loopback address is not advertised). To assign a loopback address to this interface, complete the following tasks:

Verifying the NM-CIDS Slot Number

Use the show interfaces ids-sensor command to confirm the NM-CIDS slot number in your router. Cisco IOS software gives the NM-CIDS the name "ids-sensor." Assuming that you put your NM- CIDS into slot 1, the appropriate show interfaces command output is as displayed in Example 14-1.

Example 14-1. Viewing NM-CIDS Interface Information Using the show interfaces Command

router# show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up   Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090)   Interface is unnumbered. Using address of Loopback0 (1.2.3.4)   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set   Keepalive set (10 sec)   ARP type: ARPA, ARP Timeout 04:00:00   Last input 00:00:17, output 00:00:00, output hang never 

Note

The port number for the show interfaces command is always 0 since there is only one port on the NM-CIDS.

To display the contents of the currently running configuration file or the configuration for a specific interface, use the show running-config command in Privileged Exec mode, as displayed in Example 14-2. The show running-config command without any arguments or keywords displays the entire contents of the running configuration file.

Example 14-2. Viewing NM-CIDS Interface Information Using the show running-config Command

router# show running-config !*** Configuration content abbreviated for clarity *** interface FastEthernet0/1  ip address 172.30.2.2 255.255.255.0  duplex auto  speed auto ! interface IDS-Sensor1/0  ip unnumbered Loopback0  hold-queue 60 out 

Enabling CEF

Use the ip cef command to enable the CEF switching path. This must be done in order for the router to forward packets to the NM-CIDS.

Configuring the Interface

The session command used to access the NM-CIDS console starts a reverse Telnet connection using the IP address of the ids-sensor interface. The ids-sensor interface is between the NM-CIDS and the router. You must assign an IP address to the ids-sensor interface before invoking the session command. However, assigning a routable IP address can make the ids-sensor interface itself vulnerable to attacks. To counter that vulnerability, you can assign a loopback IP address to the ids-sensor interface.

Note

Usually, when using Telnet, you connect the client system to the server system. With reverse Telnet, the connection is reversed in that the server initiates the connection to the client when you invoke the session command to a specific port on the router.

Configuring a loopback interface for the ids-sensor interface involves choosing a loopback number and assigning an IP address to that loopback number. Example 14-3 assigns loopback 0 to the IP address 10.1.1.1.

Example 14-3. Assigning an IP Address to the Loopback Interface

Router# conf t Router(config)# interface loopback 0 Router(config-if)# ip address 10.1.1.1 255.255.255.255 

After you create the loopback interface and assign an IP address to it, you must map the loopback interface to the ids-sensor interface. Example 14-4 maps the loopback interface to the ids-sensor interface in slot 1.

Example 14-4. Assigning a Loopback Interface to the ids-sensor Interface

Router# conf t Router(config)# interface ids-sensor 1/0 Router(config-if)# ip unnumbered loopback 0 Router(config-if)# no shutdown Router(config-if)# end Router# write memory 

After completing the configuration of the ids-sensor interface, execute the show interfaces ids-sensor command to view the configuration. The output should be similar to that in Example 14-5.

Example 14-5. Verifying a Loopback Address Using the show interfaces Command

Router# show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up   Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090)   Interface is unnumbered. Using address of Loopback0 (10.1.1.1)   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set   Keepalive set (10 sec)   ARP type: ARPA, ARP Timeout 04:00:00   Last input 00:00:17, output 00:00:00, output hang never   Last clearing of "show interface" counters never   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0   Queueing strategy: fifo   Output queue: 0/60 (size/max)   5 minute input rate 0 bits/sec, 0 packets/sec   5 minute output rate 1000 bits/sec, 2 packets/sec      3042 packets input, 185400 bytes, 0 no buffer      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored      0 input packets with dribble condition detected      63975 packets output, 6750422 bytes, 0 underruns      0 output errors, 0 collisions, 2 interface resets      0 babbles, 0 late collision, 0 deferred      0 lost carrier, 0 no carrier      0 output buffer failures, 0 output buffers swapped out 

Assigning the Clock Settings

The NM-CIDS clock cannot be set directly. It must use the router's clock or an NTP server as a reference clock. By default, the NM-CIDS automatically synchronizes its clock with the router time.

If you use the default setting, Greenwich Mean Time (GMT) is synchronized between the router and the NM-CIDS. The time zone and summer time settings are not synchronized between the router and the NM-CIDS. Therefore, be sure to set the time zone and summer time settings on both the router and the NM-CIDS to ensure that the GMT time settings are correct.

It is recommended that you use an NTP time synchronization source. NTP uses an authoritative time source to set the time on your NM-CIDS.

The following are clock recommendations, listed in order from the best choice to the worst choice:

1. Use NTP mode on the NM-CIDS.

2. Run an NTP client on the router, and use Cisco IOS clock mode on the NM-CIDS.

3. Run Cisco IOS clock mode on the NM-CIDS, and set the Cisco IOS time zone to UTC.

4. Run Cisco IOS clock mode on the NM-CIDS, and set the Cisco IOS time zone to the local time zone.

Note

The NM-CIDS alarm time stamps indicate both UTC and local time.

Using the Router Time Source

When using Cisco IOS clock mode, accurate NM-CIDS time depends on the following:

• Router's local time

• Router's time zone offset

• Router's summer time mode and offset

• NM-CIDS's time zone offset

• NM-CIDS's summer time mode and offset

When you use the router's clock, several factors impact the time values that your NM-CIDS uses to time-stamp events. Understanding the factors is crucial to effectively using the router's time for NM-CIDS.

Coordinated Universal Time (UTC) sent to the NM-CIDS is calculated by the router based on its local time, time zone, and summer time settings. If the router's time zone settings are incorrect, the UTC time sent to the NM-CIDS will also be incorrect. Therefore, you should configure the router clock to UTC to minimize configuration mistakes.

Whenever the router is rebooted, the router's clock setting is also reset. This can cause inconsistency in time stamps if the clock is not set correctly after each reboot.

Note

Transport Layer Security (TLS) certificates expire based on current time. If the router time is accidentally set to a time before the certificates were issued or a time after they expire, those certificates will not work.

Using an NTP Time Source

When you are using NTP mode, accurate NM-CIDS time depends on the following:

• NTP server's clock reference, which is configured in the router's Cisco IOS software

• NM-CIDS's NTP configuration

• NM-CIDS's time zone offset

• NM-CIDS's summer time mode and offset

Configuring NM-CIDS Clock Mode

To configure NTP mode, first specify the NTP server's IP address by using the ntp server command. The syntax for the ntp server command is as follows:

ntp server ip-address [version-number] [key keyid] [source-interface] [prefer] 

Table 14-2 explains the parameters for the ntp server command.

To complete the task of configuring your NM-CIDS to use NTP, define an authentication key for NTP by using the ntp authentication-key command. The authentication key consists of a key ID, which is a unique numeric identifier, and a key value, which is the authentication key. When this command is written to nonvolatile RAM (NVRAM), the key is encrypted so that it is not displayed when the configuration is viewed.

The syntax for the ntp authentication-key command is as follows:

ntp authentication-key number md5 value 

Table 14-3 explains the parameters for the ntp authentication-key command.

Setting Up Packet Monitoring

To configure packet monitoring, enter configuration mode for the interface you want the NM-CIDS to monitor. Then use the ids-service-module monitoring command to specify that all packets sent and received on this interface are sent to the NM-CIDS for inspection.

Note

You must configure each interface and subinterface that you want the NM-CIDS to monitor.

Suppose that you want to monitor traffic on FastEthernet 1/0 with NM-CIDS. To set up packet monitoring on this interface, perform the configuration commands in Example 14-6.

Example 14-6. Setting Up Packet Monitoring on FastEthernet 1/0

Router# configure terminal Router(config)# interface FastEthernet1/0 Router(config-if)# ids-service-module monitoring Router(config-if)# end Router# write memory 

Logging In to NM-CIDS Console

Unlike the IPS appliances, the NM-CIDS does not have its own console port. Internal UARTs provide console access to the NM-CIDS through the Cisco IOS software. The Cisco IOS software performs a reverse Telnet that enables you to access the NM-CIDS console. The reverse Telnet to the NM-CIDS console can be invoked indirectly by the service-module command or directly by using Telnet.

Accessing NM-CIDS via a Session

You can access NM-CIDS by using the service-module command. The syntax for this command is as follows:

service-module ids-sensor slot-number/port-number session 

For instance, to session in to the NM-CIDS located in slot 1 on your router, you would use the following command:

Router# service-module ids-sensor 1/0 session 

Accessing NM-CIDS via Telnet

Another method to access the NM-CIDS console is by using direct Telnet. You can open a Telnet session by using the IP address of any interface on the router and a special port number. This actually opens a connection to the console via the internal UART, just like the session command from the router console.

The formula for calculating the port number is (32 * slot number) + 2001. For example, the port number for slot 1 would be 2033, and the port number for slot 2 would be 2065.

Note

For Telnet access to work, you must also configure the vty port to support Telnet. For information on configuring VTY ports, refer to the Cisco IOS documentation.

NM-CIDS Login

Like the sensor appliances, the NM-CIDS is configured with a default Administrator account with a username and password of "cisco."

You can use this account to initially log in to the NM-CIDS. However, the default "cisco" password is temporary and expires upon initial login. When prompted, you must change the password for this default account to a string that is not a dictionary word and is at least eight alphanumeric characters long. Special characters are not supported. After logging in, you are presented with the privileged EXEC sensor prompt. You can then perform the initial NM-CIDS configuration as you would for any other sensor by using the setup command.

Performing Initial Sensor Configuration

After accessing the NM-CIDS CLI, you can perform the initial sensor configuration as you would for any other appliance sensor. This includes running the setup command. Chapter 2, "IPS Command-Line Interface," provides more information on the initial sensor configuration tasks.

NM-CIDS Maintenance Tasks

Besides the normal maintenance operations available to a sensor, with the NM-CIDS, you can perform some maintenance operations from the router CLI. The service-module ids-sensor command enables you to perform the following tasks from the router CLI:

• Reload the NM-CIDS

• Reset the NM-CIDS

• Establish a session to the NM-CIDS

• Shut down the NM-CIDS

• View the status of the NM-CIDS

The syntax for the service-module ids-sensor command is as follows:

service-module ids-sensor slot number/port number {reload | reset |      session | shutdown |status} 

Reloading the NM-CIDS

To reload the NM-CIDS from the router CLI, use the reload keyword for the service-module ids-sensor command. This command initiates a software reboot on the NM-CIDS that stops and then reloads the IPS sensor software. Example 14-7 illustrates reloading the NM-CIDS located in slot 1.

Example 14-7. Reloading the NM-CIDS

Router# service-module ids-sensor 1/0 reload Do you want to proceed with the reload? [confirm] y Trying to reload Service Module IDS-Sensor1/0 

Resetting the NM-CIDS

To reset the NM-CIDS from the router CLI, you use the reset keyword for the service-module ids-sensor command. This command initiates a hardware reboot of the NM-CIDS. Example 14-8 illustrates resetting the NM-CIDS located in slot 1.

Example 14-8. Resetting the NM-CIDS

Router# service-module ids-sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset? [confirm] y 

Warning

You should reset an NM-CIDS only to recover from a failed state. Resetting an operational NM-CIDS should be a last resort since it may cause you to lose all the data on the NM-CIDS hard disk.

Note

After you shut down the NM-CIDS, you will need to reset the NM-CIDS (or reboot the router) to return the NM-CIDS to operational status if you do not remove the module from the router.

Shutting Down the NM-CIDS

To shut down the NM-CIDS from the router CLI, use the shutdown keyword for the service-module ids-sensor command. This command gracefully halts the Linux operating system on the NM-CIDS. You typically use this command before removing the NM-CIDS from the router to avoid potentially corrupting the data on the NM-CIDS hard disk. Example 14-9 illustrates shutting down the NM-CIDS located in slot 1.

Example 14-9. Shutting Down the NM-CIDS

Router# service-module ids-sensor 1/0 shutdown Do you want to proceed with the reload? [confirm] y Use service module reset command to recover from shutdown Router# Dec 12 18:30:13.715: %SERVICEMODULE-5-SHUTDOWN2: Service module     IDS-Sensor1/0 shutdown complete 

Note

After removing the NM-CIDS, you should install a blank panel to cover the open slot if you do not reinsert a NM-CIDS or other router module.

Viewing the NM-CIDS Status

To view the status of the NM-CIDS from the router CLI, you use the status keyword for the service-module ids-sensor command. This command displays the status of the NM-CIDS software. If the NM-CIDS is operational, the following line is displayed in the output:

Service Module is in Steady state 

Example 14-10 illustrates viewing the status of the NM-CIDS located in slot 1.

Example 14-10. Viewing NM-CIDS Status Using the service-module Command

Router# service-module ids-sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait... Cisco Systems Intrusion Detection System Network Module   Software version:  4.1(1)S47   Model:NM-CIDS   Memory:254676 KB sensor# 

Recovering the NM-CIDS Software Image

In the following situations, you might need to recover the NM-CIDS software image:

• You cannot access the NM-CIDS, because of a lost password

• NM-CIDS operating system becomes corrupt

• NM-CIDS hard drive becomes corrupt

After you finish the recovery procedure, all NM-CIDS configuration settings are reset to the defaults. You must either use a backed-up configuration to restore your custom settings or re-enter them manually.

To recover the NM-CIDS software image, you need the following:

• Application image

• Helper image

• Latest signature and service pack updates

• Backup configuration file

Note

A helper image is an image used only for installing the application image. It is stored on a network TFTP server and downloaded by the NM-CIDS each time the helper image is booted.

Image recovery involves the following tasks:

Configuring the Boot Loader

To configure the boot loader, you must first download the helper file from Cisco.com to a TFTP server on your network and copy the helper image to the /tftpboot directory on your TFTP server. Then access the boot loader prompt. The following steps show how to access the boot loader prompt for an NM-CIDS in slot 1:

Please enter '***' to change boot configuration 

Booting the Helper Image

To boot the helper image, enter boot helper at the ServicesEngine boot-loader> prompt as shown in the following command line:

ServicesEngine boot-loader> boot helper 

The boot loader brings up the external interface and locates the TFTP server host. When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. When the load completes, a message indicates that the helper is valid, and the helper utility is launched, as shown in the output in Example 14-11.

Example 14-11. Boot Helper Menu Options

Image signature verified successfully. Cisco Systems, Inc. Services engine helper utility for NM-CIDS Version 1.0(1) [200305011547] -- -- - Main menu 1 - Download application image and write to HDD 2 - Download bootloader and write to flash 3 - Display software version on HDD 4 - Display total RAM size 5 - Change file transfer method (currently secure shell) r - Exit and reset Services Engine h - Exit and shutdown Services Engine Selection [12345rh]: 

Selecting the File Transfer Method

From the helper image, you select 5 to choose the file transfer method to be used for downloading the application image. This controls the protocol used for downloading application and boot-loader image files only. The boot loader always uses TFTP when downloading the helper image. The command sequence in Example 14-12 selects Secure Shell (SSH) to retrieve the image files.

Example 14-12. Selecting SSH for Boot Helper File Transfer

Selection [12345rh]: 5 Change file transfer method menu The current file transfer method is secure shell. 1 - Change to secure shell 2 - Change to tftp r - return to main menu 1 

Installing the Application Image

To begin re-imaging the hard disk, enter 1 at the Selection [12345rh]: prompt. Then you need to complete the following steps:

If the restore is successful, you receive the message in Example 14-13 and are then returned to the main menu with the Selection [12345rh]: prompt.

Example 14-13. Boot Helper Successful Restore Message

Disk restore was successful The operation was successful 

Booting the Application Image

After downloading and installing the application image, reboot the NM-CIDS by entering r at the Selection [12345rh]: prompt, as shown in the command output in Example 14-14.

Example 14-14. Rebooting the NM-CIDS by Using the Boot Helper

Selection [12345rh]: r About to exit and reset Services Engine Are you sure? [y/n] y 

After the reboot, you must initialize your NM-CIDS by logging in to the NM-CIDS and running the setup command. After running setup, you will also need to restore the NM-CIDS original configuration or reconfigure it manually.

Configuring the IPS Application

The same software revision upgrades, service packs, and signature updates that you use for any Cisco IPS sensor also apply to the NM-CIDS. After installing the application image, you need to use the upgrade CLI command to restore the NM-CIDS software to the correct service pack level and signature release. The upgrade process is the same as for other Cisco IPS sensors.