Cisco IPS-4255-K9 - Intrusion Protection Sys 4255, IPS 4255, IPS 4260, IPS 4270-20, AIP SSM-10 Installation Manual

...

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-18504-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

CONTENTS

Preface xiii

Contents xiii

Audience xiii

Comply with Local and National Electrical Codes xiii

Organization xv

Conventions xv

Related Documentation xvi

Obtaining Documentation and Submitting a Service Request xvii

CHAPTER

1 Introducing the Sensor 1-1

How the Sensor Functions 1-1

Capturing Network Traffic 1-1 Your Network Topology 1-3 Correctly Deploying the Sensor 1-3 Tuning the IPS 1-3 Sensor Interfaces 1-4

Understanding Sensor Interfaces 1-4 Command and Control Interface 1-5 Sensing Interfaces 1-6 Interface Support 1-6 TCP Reset Interfaces 1-9 Interface Restrictions 1-10

Interface Modes 1-12

Promiscuous Mode 1-12 IPv6, Switches, and Lack of VACL Capture 1-13 Inline Interface Pair Mode 1-14 Inline VLAN Pair Mode 1-15 VLAN Group Mode 1-15 Deploying VLAN Groups 1-16

Supported Sensors 1-17

IPS Appliances 1-18

Introducing the IPS Appliance 1-18 Appliance Restrictions 1-19 Connecting an Appliance to a Terminal Server 1-19

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

iii

Contents

IPS Modules 1-20

Introducing the AIM IPS 1-20 Introducing the AIP SSM 1-22 Introducing the IDSM2 1-24 Introducing the NME IPS 1-25

Time Sources and the Sensor 1-26

The Sensor and Time Sources 1-26 Synchronizing IPS Module System Clocks with the Parent Device System Clock 1-28 Verifying the Sensor is Synchronized with the NTP Server 1-28 Correcting the Time on the Sensor 1-29

Installation Preparation 1-29

Site and Safety Guidelines 1-30

Site Guidelines 1-30 Rack Configuration Guidelines 1-30 Electrical Safety Guidelines 1-31 Power Supply Guidelines 1-32 Working in an ESD Environment 1-32

CHAPTER

Cable Pinouts 1-33

10/100BaseT and 10/100/1000BaseT Connectors 1-34 Console Port (RJ-45) 1-35 RJ-45 to DB-9 or DB-25 1-36

2 Installing the IPS 4240 and the IPS 4255 2-1

Introducing the IPS 4240 and the IPS 4255 2-1

Front and Back Panel Features 2-2

Specifications 2-4

Connecting the IPS 4240 to a Cisco 7200 Series Router 2-5

Accessories 2-5

Important Safety Instructions 2-5

Rack Mounting 2-6

Installing the IPS 4240 and the IPS 4255 2-7

Installing the IPS 4240-DC 2-10

3 Installing the IPS 4260 3-1

Introducing the IPS 4260 3-1

Supported Interface Cards 3-2

Hardware Bypass 3-4

4GE Bypass Interface Card 3-4

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

Hardware Bypass Configuration Restrictions 3-5 Hardware Bypass and Link Changes and Drops 3-6

Front and Back Panel Features 3-6

Specifications 3-9

Accessories 3-9

Important Safety Instructions 3-10

Rack Mounting 3-10

Installing the IPS 4260 in a 4-Post Rack 3-10 Installing the IPS 4260 in a 2-Post Rack 3-13

Installing the IPS 4260 3-15

Removing and Replacing the Chassis Cover 3-18

Installing and Removing Interface Cards 3-20

Installing and Removing the Power Supply 3-22

Contents

CHAPTER

4 Installing the IPS 4270-20 4-1

Introducing the IPS 4270-20 4-2

Supported Interface Cards 4-3

Hardware Bypass 4-5

4GE Bypass Interface Card 4-5 Hardware Bypass Configuration Restrictions 4-6 Hardware Bypass and Link Changes and Drops 4-7

Front and Back Panel Features 4-7

Diagnostic Panel 4-11

Internal Components 4-13

Specifications 4-14

Accessories 4-15

Installing the Rail System Kit 4-15

Understanding the Rail System Kit 4-15 Rail System Kit Contents 4-16 Space and Airflow Requirements 4-16 Installing the IPS 4270-20 in the Rack 4-17 Extending the IPS 4270-20 from the Rack 4-25 Installing the Cable Management Arm 4-28 Converting the Cable Management Arm 4-31

Installing the IPS 4270-20 4-35

Removing and Replacing the Chassis Cover 4-38

Accessing the Diagnostic Panel 4-41

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

Contents

Installing and Removing Interface Cards 4-41

Installing and Removing the Power Supply 4-44

Installing and Removing Fans 4-49

Troubleshooting Loose Connections 4-51

CHAPTER

5 Installing the AIM IPS 5-1

Specifications 5-1

Before Installing the AIM IPS 5-2

Software and Hardware Requirements 5-2

Interoperability With Other IPS Modules 5-3

Restrictions 5-3

Hardware Interfaces 5-4

Installation and Removal Instructions 5-5

Verifying Installation 5-6

6 Installing the AIP SSM 6-1

Specifications 6-1

Memory Specifications 6-2

Hardware and Software Requirements 6-2

Indicators 6-2

Installation and Removal Instructions 6-3

Installing the AIP SSM 6-3 Verifying the Status of the AIP SSM 6-4 Removing the AIP SSM 6-5

CHAPTER

7 Installing the IDSM2 7-1

Specifications 7-1

Software and Hardware Requirements 7-2

Minimum Supported the IDSM2 Configurations 7-2

Using the TCP Reset Interface 7-3

Front Panel Features 7-3

Installation and Removal Instructions 7-4

Required Tools 7-4 Slot Assignments 7-5 Installing the IDSM2 7-5 Verifying Installation 7-9 Removing the IDSM2 7-10

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

Enabling Full Memory Tests 7-12

Catalyst Software 7-12 Cisco IOS Software 7-13

Resetting the IDSM2 7-13

Catalyst Software 7-13 Cisco IOS Software 7-14

Powering the IDSM2 Up and Down 7-15

Catalyst Software 7-15 Cisco IOS Software 7-16

Contents

CHAPTER

8 Installing the NME IPS 8-1

Specifications 8-1

Before Installing the NME IPS 8-2

Software and Hardware Requirements 8-2

Interoperability With Other IPS Modules 8-3

Restrictions 8-3

Hardware Interfaces 8-4

Installation and Removal Instructions 8-5

Verifying Installation 8-6

9 Logging In to the Sensor 9-1

Supported User Roles 9-1

Logging In to the Appliance 9-2

Connecting an Appliance to a Terminal Server 9-3

Logging In to the AIM IPS 9-4

The AIM IPS and the session Command 9-4 Sessioning In to the AIM IPS 9-5

Logging In to AIP SSM 9-6

Logging In to the IDSM2 9-8

Logging In to the NME IPS 9-9

The NME IPS and the session Command 9-9 Sessioning In to the NME IPS 9-10

Logging In to the Sensor 9-11

CHAPTER

10 Initializing the Sensor 10-1

Understanding Initialization 10-1

Simplified Setup Mode 10-1

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

vii

Contents

System Configuration Dialog 10-2

Basic Sensor Setup 10-4

Advanced Setup 10-7

Advanced Setup for the Appliance 10-8 Advanced Setup for the AIM IPS 10-13 Advanced Setup for the AIP SSM 10-16 Advanced Setup for the IDSM2 10-20 Advanced Setup for the NME IPS 10-25

Verifying Initialization 10-28

CHAPTER

11 Obtaining Software 11-1

Obtaining Cisco IPS Software 11-1

IPS Software Versioning 11-2

Software Release Examples 11-6

Upgrading Cisco IPS Software to 7.0 11-7

Accessing IPS Documentation 11-9

Cisco Security Intelligence Operations 11-9

Obtaining a License Key From Cisco.com 11-10

Understanding Licensing 11-10 Service Programs for IPS Products 11-11 Obtaining and Installing the License Key Using IDM or IME 11-11 Obtaining and Installing the License Key Using the CLI 11-13

12 Upgrading, Downgrading, and Installing System Images 12-1

Upgrades, Downgrades, and System Images 12-1

Supported FTP and HTTP/HTTPS Servers 12-2

Upgrading the Sensor 12-2

IPS 7.0 Upgrade Files 12-2 upgrade Command and Options 12-3 Using the upgrade Command 12-4 Upgrading the Recovery Partition 12-5

Configuring Automatic Upgrades 12-6

Automatic Upgrades 12-6 auto-upgrade Command and Options 12-7 Using the auto-upgrade Command 12-8 Automatic Upgrade Examples 12-10

Downgrading the Sensor 12-11

Recovering the Application Partition 12-12

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

viii

OL-18504-01

Application Partition 12-12 Using the recover Command 12-12

Installing System Images 12-13

Understanding ROMMON 12-14 Supported TFTP Servers 12-14 Connecting an Appliance to a Terminal Server 12-14 Installing the IPS 4240 and IPS 4255 System Images 12-15 Installing the IPS 4260 System Image 12-18 Installing the IPS 4270-20 System Image 12-20 Installing the AIM IPS System Image 12-23 Installing the AIP SSM System Image 12-25

Reimaging the AIP SSM 12-26 Reimaging the AIP SSM Using the recover configure/boot Command 12-26

Installing the IDSM2 System Image 12-28

Understanding the IDSM2 System Image 12-28 Installing the IDSM2 System Image for Catalyst Software 12-28 Installing the IDSM2 System Image for Cisco IOS Software 12-29 Configuring the IDSM2 Maintenance Partition for Catalyst Software 12-31 Configuring the IDSM2 Maintenance Partition for Cisco IOS Software 12-35 Upgrading the IDSM2 Maintenance Partition for Catalyst Software 12-38 Upgrading the IDSM2 Maintenance Partition for Cisco IOS Software 12-39

Installing the NME IPS System Image 12-40

Contents

APPENDIX

OL-18504-01

A Troubleshooting A-1

Bug Toolkit A-1

Preventive Maintenance A-2

Understanding Preventive Maintenance A-2 Creating and Using a Backup Configuration File A-3 Backing Up and Restoring the Configuration File Using a Remote Server A-3 Creating the Service Account A-5

Disaster Recovery A-6

Recovering the Password A-7

Understanding Password Recovery A-8 Recovering the Appliance Password A-8

Using the GRUB Menu A-8

Using ROMMON A-9 Recovering the AIM IPS Password A-10 Recovering the AIP SSM Password A-10 Recovering the IDSM2 Password A-13

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

Contents

Recovering the NME IPS Password A-13 Disabling Password Recovery A-14 Verifying the State of Password Recovery A-15 Troubleshooting Password Recovery A-15

Time and the Sensor A-16

Time Sources and the Sensor A-16 Synchronizing IPS Module Clocks with Parent Device Clocks A-17 Verifying the Sensor is Synchronized with the NTP Server A-17 Correcting Time on the Sensor A-18

Advantages and Restrictions of Virtualization A-18

Supported MIBs A-19

When to Disable Anomaly Detection A-20

Troubleshooting Global Correlation A-20

Analysis Engine Not Responding A-21

Troubleshooting External Product Interfaces A-22

External Product Interfaces Issues A-22 External Product Interfaces Troubleshooting Tips A-23

Troubleshooting the Appliance A-23

Hardware Bypass and Link Changes and Drops A-24 Troubleshooting Loose Connections A-24 Analysis Engine is Busy A-25 Connecting the IPS 4240 to a Cisco 7200 Series Router A-25 Communication Problems A-26

Cannot Access the Sensor CLI Through Telnet or SSH A-26 Correcting a Misconfigured Access List A-28 Duplicate IP Address Shuts Interface Down A-29

SensorApp and Alerting A-30

SensorApp Not Running A-30 Physical Connectivity, SPAN, or VACL Port Issue A-32 Unable to See Alerts A-33 Sensor Not Seeing Packets A-35 Cleaning Up a Corrupted SensorApp Configuration A-37

Blocking A-37

Troubleshooting Blocking A-38 Verifying ARC is Running A-38 Verifying ARC Connections are Active A-39 Device Access Issues A-41 Verifying the Interfaces and Directions on the Network Device A-43 Enabling SSH Connections to the Network Device A-43

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

Blocking Not Occurring for a Signature A-44

Verifying the Master Blocking Sensor Configuration A-45 Logging A-46

Understanding Debug Logging A-46

Enabling Debug Logging A-47

Zone Names A-50

Directing cidLog Messages to SysLog A-51 TCP Reset Not Occurring for a Signature A-52 Software Upgrades A-53

Upgrading and Analysis Engine A-54

Which Updates to Apply and Their Prerequisites A-54

Issues With Automatic Update A-55

Updating a Sensor with the Update Stored on the Sensor A-55

Troubleshooting IDM A-56

Cannot Launch IDM - Loading Java Applet Failed A-56 Cannot Launch IDM-Analysis Engine Busy A-57 IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor A-57 Signatures Not Producing Alerts A-58

Contents

Troubleshooting IME A-59

Time Synchronization on IME and the Sensor A-59 Not Supported Error Message A-59

Troubleshooting the IDSM2 A-59

Diagnosing IDSM2 Problems A-60 Minimum Supported IDSM2 Configurations A-61 Switch Commands for Troubleshooting A-61 Status LED Off A-62 Status LED On But the IDSM2 Does Not Come Online A-63 Cannot Communicate With the IDSM2 Command and Control Port A-64 Using the TCP Reset Interface A-66 Connecting a Serial Cable to the IDSM2 A-66

Troubleshooting the AIP SSM A-66

Health and Status Information A-67 The AIP SSM and the Data Plane A-69 AIM SSP and the Normalizer Engine A-69

Troubleshooting the AIM IPS and the NME IPS A-69

Interoperability With Other IPS Network Modules A-69

Gathering Information A-70

Health and Network Security Information A-70 Tech Support Information A-71

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

Contents

Understanding the show tech-support Command A-71 Displaying Tech Support Information A-71 Tech Support Command Output A-72

Version Information A-74

Understanding the show version Command A-74 Displaying Version Information A-74

Statistics Information A-76

Understanding the show statistics Command A-77 Displaying Statistics A-77

Interfaces Information A-87

Understanding the show interfaces Command A-87 Interfaces Command Output A-87

Events Information A-88

Sensor Events A-88 Understanding the show events Command A-89 Displaying Events A-89

Clearing Events A-92 cidDump Script A-92 Uploading and Accessing Files on the Cisco FTP Site A-93

LOSSARY

NDEX

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xii

OL-18504-01

Contents

Preface

Revised: April 4, 2012, OL-18504-01

This guide describes how to install appliances and modules that support Cisco IPS 7.0. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.0. Use this guide in conjunction with the documents listed in

Related Documentation, page xvi. This preface contains the following sections:

• Audience, page xiii

• Comply with Local and National Electrical Codes, page xiii

• Organization, page xv

• Conventions, page xv

• Related Documentation, page xvi

• Obtaining Documentation and Submitting a Service Request, page xvii

Audience

This guide is for experienced network security administrators who install and maintain Cisco IPS sensors, including the supported IPS appliances and modules.

Comply with Local and National Electrical Codes

Warning

Installation of the equipment must comply with local and national electrical codes.

Statement 1074

Waarschuwing

Varoitus

OL-18504-01

Bij installatie van de apparatuur moet worden voldaan aan de lokale en nationale elektriciteitsvoorschriften.

Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xiii

Contents

Preface

Attention

Warnung

Avvertenza

Advarsel

Aviso

¡Advertencia!

Varning!

L'équipement doit être installé conformément aux normes électriques nationales et locales.

Die Installation der Geräte muss den Sicherheitsstandards entsprechen.

L'installazione dell'impianto deve essere conforme ai codici elettrici locali e nazionali.

Installasjon av utstyret må samsvare med lokale og nasjonale elektrisitetsforskrifter.

A instalação do equipamento tem de estar em conformidade com os códigos eléctricos locais e nacionais.

La instalación del equipo debe cumplir con las normativas de electricidad locales y nacionales.

Installation av utrustningen måste ske i enlighet med gällande elinstallationsföreskrifter.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xiv

OL-18504-01

Preface

Organization

This guide includes the following sections:

Section Title Description

1 “Introducing the Sensor” Describes IPS appliances and modules.

2 “Installing the IPS 4240 and the

3 “Installing the IPS 4260” Describes how to install the IPS 4260.

4 “Installing the IPS 4270-20” Describes how to install the IPS 4270-20.

5 “Installing the AIM IPS” Describes how to install the AIM IPS.

6 “Installing the AIP SSM” Describes how to install the AIP SSM.

7 “Installing the IDSM2” Describes how to install the IDSM2.

8 “Installing the NME IPS” Describes how to install the NME IPS

9 “Logging In to the Sensor” Describes how to log in to the various sensors.

10 “Initializing the Sensor” Describes how to use the setup command to

11 “Obtaining Software” Describes where to go to get the latest IPS

12 “Upgrading, Downgrading, and

A “Troubleshooting” Contains troubleshooting tips for IPS hardware

Describes how to install the IPS 4240 and the

IPS 4255”

Installing System Images”

“Glossary” Contains IPS acronyms and terms.

IPS 4255.

initialize sensors.

software and describes the naming conventions.

Describes how to upgrade sensors and reimage the various sensors.

and software.

Contents

Conventions

This document uses the following conventions:

Convention Indication

bold font Commands and keywords and user-entered text appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply

[ ] Elements in square brackets are optional.

OL-18504-01

values are in italic font.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

Contents

Preface

{x | y | z } Required alternative keywords are grouped in braces and separated by

vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or

the string will include the quotation marks.

courier font Terminal sessions and information the system displays appear in courier font.

< > Nonprinting characters such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

indicates a comment line.

Note Means reader take note.

Tip Means the following information will help you solve a problem.

Caution Means reader be careful. In this situation, you might perform an action that could result in equipment

damage or loss of data.

Timesaver Means the described action saves time. You can save time by performing the action described in

the paragraph.

Warning

Means reader be warned. In this situation, you might perform an action that could result in bodily injury.

Related Documentation

For more information on Cisco IPS, refer to the following documentation found at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

• Documentation Roadmap for Cisco Intrusion Prevention System

• Release Notes for Cisco Intrusion Prevention System

• Installing and Using Cisco Intrusion Prevention System Device Manager

• Installing and Using Cisco Intrusion Prevention System Manager Express

• Cisco Intrusion Prevention System Command Reference

• Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface

• Installling and Removing Interface Cards in Cisco IPS-4260 and IPS 4270-20

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xvi

OL-18504-01

Preface

Contents

• Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200

Series Appliance Sensor

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xvii

Contents

Preface

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

xviii

OL-18504-01

CHA P TER

Introducing the Sensor

This chapter introduces the sensor and provides information you should know before you install the sensor. In this guide, the term sensor refers to all models unless noted otherwise. For a complete list of supported sensors and their model numbers, see Supported Sensors, page 1-17. This chapter contains the following sections:

• How the Sensor Functions, page 1-1

• Supported Sensors, page 1-17

• IPS Appliances, page 1-18

• IPS Modules, page 1-20

• Time Sources and the Sensor, page 1-26

• Installation Preparation, page 1-29

• Site and Safety Guidelines, page 1-30

• Cable Pinouts, page 1-33

How the Sensor Functions

This section describes how the sensor functions, and contains the following topics:

• Capturing Network Traffic, page 1-1

• Your Network Topology, page 1-3

• Correctly Deploying the Sensor, page 1-3

• Tuning the IPS, page 1-3

• Sensor Interfaces, page 1-4

• Interface Modes, page 1-12

Capturing Network Traffic

The sensor can operate in either promiscuous or inline mode. Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

1-1

How the Sensor Functions

Sensor deployed

in IDS mode

Public services segment

Campus core

Attacker

Internet

Sensor deployed

in IPS mode

Sensor deployed in IPS mode

Sensor deployed in hybrid mode to deliver IDS services outside router and IPS services inside the firewall

Service provider, partner, or branch office network

Multiple IPS sensors deliver a highly scalable, load-balanced solution via Cisco Etherchannel technology on Cisco Catalyst Switches

148416

Main campus

Figure 1-1 Comprehensive Deployment Solutions

Chapter 1 Introducing the Sensor

The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH and TLS/SSL are enabled by default on the manager workstations.

When responding to attacks, the sensor can do the following:

• Insert TCP resets via the sensing interface.

Note You should select the TCP reset action only on signatures associated with a TCP-based

service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol.

• Make ACL changes on switches, routers, and firewalls that the sensor manages.

Note ACLs may block only future traffic, not current traffic.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-2

OL-18504-01

Chapter 1 Introducing the Sensor

• Generate IP session logs, session replay, and trigger packets display.

IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for.

• Implement multiple packet drop actions to stop worms and viruses.

Your Network Topology

Before you deploy and configure your sensors, you should understand the following about your network:

• The size and complexity of your network.

• Connections between your network and other networks (and the Internet).

• The amount and type of network traffic on your network.

This knowledge will help you determine how many sensors are required, the hardware configuration for each sensor (for example, the size and type of network interface cards), and how many managers are needed.

How the Sensor Functions

Correctly Deploying the Sensor

You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or adaptive security appliance. The perimeter device filters traffic to match your security policy thus allowing acceptable traffic in to your network. Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations. If you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce alerts on every single scan and attempted attack even if they have no significance to your network implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise environment) that are not really critical or actionable in your environment. Analyzing this type of data is time consuming and costly.

Tuning the IPS

Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS, it is difficult to do security research or forensics on your network because you will have thousands of benign events, also known as false positives. False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.

Follow these tips when tuning your IPS sensors:

• Place your sensor on your network behind a perimeter-filtering device.

Proper sensor placement can reduce the number of alerts you need to examine by several thousands a day.

• Deploy the sensor with the default signatures in place.

The default signature set provides you with a very high security protection posture. The Cisco signature team has spent many hours on testing the defaults to give your sensor the highest protection. If you think that you have lost these defaults, you can restore them.

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-3

How the Sensor Functions

Chapter 1 Introducing the Sensor

• Make sure that the event action override is set to drop packets with a risk rating greater than 90.

This is the default and ensures that high risk alerts are stopped immediately.

• Filter out known false positives caused by specialized software, such as vulnerability scanner and

load balancers by one of the following methods:

–

You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer.

–

You can configure the sensor to allow these alerts and then use IME to filter out the false positives.

• Filter the Informational alerts.

These low priority events notifications could indicate that another device is doing reconnaissance on a device protected by the IPS. Research the source IP addresses from these Informational alerts to determine what the source is.

• Analyze the remaining actionable alerts:

–

Research the alert.

–

Fix the attack source.

–

Fix the destination host.

For More Information

• For a detailed description of risk rating, refer to Calculating the Risk Rating.

• For information on Cisco signatures, for IDM and IME refer to Defining Signatures, and for the CLI

• For detailed information on event action overrides, for IDM and IME refer to Configuring Event

• For information on using Cisco IME, refer to Installing and Using Cisco Intrusion Prevention

Sensor Interfaces

This section describes the sensor interfaces, and contains the following topics:

• Understanding Sensor Interfaces, page 1-4

• Command and Control Interface, page 1-5

• Sensing Interfaces, page 1-6

• Interface Support, page 1-6

• TCP Reset Interfaces, page 1-9

• Interface Restrictions, page 1-10

–

Modify the IPS policy to provide more information.

refer to Defining Signatures.

Action Overrides, and for the CLI, refer to Configuring Event Action Overrides.

System Manager Express 7.0.

Understanding Sensor Interfaces

The sensor interfaces are named according to the maximum speed and physical location of the interface. The physical location consists of a port number and a slot number. All interfaces that are built-in on the sensor motherboard are in slot 0, and the PCI expansion slots are numbered beginning with slot 1 for the bottom slot with the slot numbers increasing from bottom to top (except for the IPS 4270-20, where the

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-4

OL-18504-01

Chapter 1 Introducing the Sensor

ports are numbered from top to bottom). Interfaces with a given slot are numbered beginning with port 0 for the right port with the port numbers increasing from right to left. For example, GigabitEthernet2/1 supports a maximum speed of 1 Gigabit and is the second-from-the-right interface in the second-from-the bottom PCI expansion slot. The IPS 4240, IPS 4255, IPS 4260, and IPS 4270-20 are exceptions to this rule. The command and control interface on these sensors is called Management0/0 rather than GigabitEthernet0/0. The IPS 4270-20 has an additional interface called Management0/1, which is reserved for future use.

There are three interface roles:

• Command and control

• Sensing

• Alternate TCP reset

There are restrictions on which roles you can assign to specific interfaces and some interfaces have multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same time. The following restrictions apply:

• Because the AIM IPS, AIP SSM, and NME IPS only have one sensing interface, you cannot

configure a TCP reset interface.

• Because of hardware limitations on the Catalyst switch, both of the IDSM2 sensing interfaces are

permanently configured to use System0/1 as the TCP reset interface.

How the Sensor Functions

• The TCP reset interface that is assigned to a sensing interface has no effect in inline interface or

inline VLAN pair mode, because TCP resets are always sent on the sensing interfaces in those modes.

Note Each physical interface can be divided into VLAN group subinterfaces, each of which

consists of a group of VLANs on that interface.

Command and Control Interface

The command and control interface has an IP address and is used for configuring the sensor. It receives security and status events from the sensor and queries the sensor for statistics.

The command and control interface is permanently enabled. It is permanently mapped to a specific physical interface, which depends on the specific model of sensor. You cannot use the command and control interface as either a sensing or alternate TCP reset interface.

Table 1 -1 lists the command and control interfaces for each sensor.

Table 1-1 Command and Control Interfaces

Sensor Command and Control Interface

AIM IPS Management0/0

AIP SSM-10 GigabitEthernet0/0

AIP SSM-20 GigabitEthernet0/0

AIP SSM-40 GigabitEthernet0/0

IDSM2 GigabitEthernet0/2

IPS 4240 Management0/0

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-5

How the Sensor Functions

Sensing Interfaces

Chapter 1 Introducing the Sensor

Table 1-1 Command and Control Interfaces (continued)

Sensor Command and Control Interface

IPS 4255 Management0/0

IPS 4260 Management0/0

IPS 4270-20 Management0/0

NME IPS Management0/01

Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in promiscuous mode or you can pair them to create inline interfaces.

Note On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On

modules, the sensing interfaces are permanently enabled.

Some appliances support optional interface cards that add sensing interfaces to the sensor. You must insert or remove these optional cards while the sensor is powered off. The sensor detects the addition or removal of a supported interface card. If you remove an optional interface card, some of the interface configuration is deleted, such as the speed, duplex, description string, enabled/disabled state of the interface, and any inline interface pairings. These settings are restored to their default settings when the card is reinstalled. However, the assignment of promiscuous and inline interfaces to the Analysis Engine is not deleted from the Analysis Engine configuration, but is ignored until those cards are reinserted and you create the inline interface pairs again.

Interface Support

Table 1 -2 describes the interface support for appliances and modules running Cisco IPS.

Table 1-2 Interface Support

Added Interface

Base Chassis

Cards

AIM IPS — GigabitEthernet0/1 by

AIP SSM-10 — GigabitEthernet0/1 by

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

ids-service-module command in the router configuration instead of VLAN pair or inline interface pair

security context instead of VLAN pair or inline interface pair

Combinations Supporting Inline Interface Pairs

GigabitEthernet0/1 by ids-service-module command in the router configuration instead of VLAN pair or inline interface pair

GigabitEthernet0/1 by security context instead of VLAN pair or inline interface pair

Interfaces Not Supporting Inline (Command and Control Port)

Management0/0

GigabitEthernet0/0

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-6

OL-18504-01

Chapter 1 Introducing the Sensor

Table 1-2 Interface Support (continued)

How the Sensor Functions

Added Interface

Base Chassis

Cards

AIP SSM-20 — GigabitEthernet0/1 by

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

security context instead of VLAN pair or inline

Combinations Supporting Inline Interface Pairs

GigabitEthernet0/1 by security context instead of VLAN pair or inline interface pair

Interfaces Not Supporting Inline (Command and Control Port)

GigabitEthernet0/0

interface pair

AIP SSM-40 — GigabitEthernet0/1 by

security context instead of VLAN pair or inline

GigabitEthernet0/1 by security context instead of VLAN pair or inline interface pair

GigabitEthernet0/0

interface pair

IDSM2 — GigabitEthernet0/7

0/7<->0/8 GigabitEthernet0/2

GigabitEthernet0/8

IPS 4240 — GigabitEthernet0/0

GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3

0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2

Management0/0

0/1<->0/3 0/2<->0/3

IPS 4255 — GigabitEthernet0/0

GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3

0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2

Management0/0

0/1<->0/3 0/2<->0/3

IPS 4260 — GigabitEthernet0/1 N/A Management0/0

IPS 4260 4GE-BP

GigabitEthernet0/1

Management0/0

Slot 1

Slot 2

IPS 4260 2SX

Slot 1

Slot 2

OL-18504-01

GigabitEthernet2/0 GigabitEthernet2/1 GigabitEthernet2/2 GigabitEthernet2/3

GigabitEthernet3/0 GigabitEthernet3/1 GigabitEthernet3/2 GigabitEthernet3/3

GigabitEthernet0/1

GigabitEthernet2/0 GigabitEthernet2/1

GigabitEthernet3/0 GigabitEthernet3/1

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

2/0<->2/1

2/2<->2/3

3/0<->3/1 3/2<->3/3

All sensing ports can be paired together

Management0/0

1-7

How the Sensor Functions

Table 1-2 Interface Support (continued)

Chapter 1 Introducing the Sensor

Added Interface

Base Chassis

Cards

IPS 4260 10GE

Slot 1

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

GigabitEthernet0/1

TenGigabitEthernet2/0

Combinations Supporting Inline Interface Pairs

2/0<->2/1

Interfaces Not Supporting Inline (Command and Control Port)

Management0/0

TenGigabitEthernet2/1

IPS 4270-20 — — N/A Management0/0

Management0/1

IPS 4270-20 4GE-BP

Management0/0 Management0/1

Slot 1

GigabitEthernet3/0 GigabitEthernet3/1

3/0<->3/1 3/2<->3/3

GigabitEthernet3/2 GigabitEthernet3/3

Slot 2

GigabitEthernet4/0 GigabitEthernet4/1

4/0<->4/1

4/2<->4/3 GigabitEthernet4/2 GigabitEthernet4/3

IPS 4270-20 2SX

Slot 1

All sensing ports can be paired

together GigabitEthernet3/0

Management0/0 Management0/1

GigabitEthernet3/1

Slot 2

GigabitEthernet4/0 GigabitEthernet4/1

IPS 4270-20 10GE

Slot 1

All sensing ports can be paired

together TenGigabitEthernet5/0

Management0/0 Management0/1

TenGigabitEthernet5/1

Slot 2

TenGigabitEthernet7/0 TenGigabitEthernet7/1

NME IPS — GigabitEthernet0/1 by

ids-service-module command in the router configuration instead of VLAN pair or inline

GigabitEthernet0/1 by

ids-service-module command

in the router configuration

instead of VLAN pair or inline

interface pair

Management0/1

interface pair

1. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

2. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

3. Reserved for future use.

4. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

5. Reserved for future use.

6. Reserved for future use.

7. Reserved for future use.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-8

OL-18504-01

Chapter 1 Introducing the Sensor

Note The IPS 4260 supports a mixture of 4GE-BP, 2SX, and 10GE cards. The IPS 4270-20 also supports a

mixture of 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is reached first, but is limited to only two 10GE card in the mix of cards.

TCP Reset Interfaces

This section explains the TCP reset interfaces and when to use them. It contains the following topics:

• Understanding Alternate TCP Reset Interfaces, page 1-9

• Designating the Alternate TCP Reset Interface, page 1-10

Understanding Alternate TCP Reset Interfaces

Note The alternate TCP reset interface setting is ignored in inline interface or inline VLAN pair mode,

because resets are sent inline in these modes.

How the Sensor Functions

You can configure sensors to send TCP reset packets to try to reset a network connection between an attacker host and its intended target host. In some installations when the interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected. In such cases, you can associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on the associated alternate TCP reset interface.

If a sensing interface is associated with an alternate TCP reset interface, that association applies when the sensor is configured for promiscuous mode but is ignored when the sensing interface is configured for inline mode.

With the exception of the IDSM2, any sensing interface can serve as the alternate TCP reset interface for another sensing interface. The alternate TCP reset interface on the IDSM2 is fixed because of hardware limitation.

Note There is only one sensing interface on IPS modules (AIM IPS, AIP SSM, and NME IPS).

Table 1 -3 lists the alternate TCP reset interfaces.

Table 1-3 Alternate TCP Reset Interfaces

Sensor Alternate TCP Reset Interface

AIM IPS None

AIP SSM-10 None

AIP SSM-20 None

AIP SSM-40 None

IDSM2 System0/1

IPS 4240 Any sensing interface

IPS 4255 Any sensing interface

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-9

How the Sensor Functions

Table 1-3 Alternate TCP Reset Interfaces (continued)

Sensor Alternate TCP Reset Interface

IPS 4260 Any sensing interface

IPS 4270-20 Any sensing interface

NME IPS None

1. This is an internal interface on the Catalyst backplane.

Designating the Alternate TCP Reset Interface

You need to designate an alternate TCP reset interface in the following situations:

• When a switch is being monitored with either SPAN or VACL capture and the switch does not accept

incoming packets on the SPAN or VACL capture port.

• When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the

switch does not accept incoming packets with 802.1q headers.

Chapter 1 Introducing the Sensor

• When a network tap is used for monitoring a connection.

Interface Restrictions

The following restrictions apply to configuring interfaces on the sensor:

• Physical Interfaces

Note The TCP resets need 802.1q headers to tell which VLAN the resets should be sent on.

Note Taps do not permit incoming traffic from the sensor.

You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the management interface as an alternate TCP reset interface.

–

On modules (AIM IPS, AIP SSM, IDSM2, and NME IPS), all backplane interfaces have fixed speed, duplex, and state settings. These settings are protected in the default configuration on all backplane interfaces.

–

For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and auto. Valid duplex settings are full, half, and auto.

–

For Gigabit copper interfaces (1000-TX on the IPS 4240, IPS 4255, IPS 4260, and IPS 4270-20), valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto. Valid duplex settings are full, half, and auto.

–

For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto.

–

The command and control interface cannot also serve as a sensing interface.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-10

OL-18504-01

Chapter 1 Introducing the Sensor

• Inline Interface Pairs

• Inline VLAN Pairs

How the Sensor Functions

–

Inline interface pairs can contain any combination of sensing interfaces regardless of the physical interface type (copper versus fiber), speed, or duplex settings of the interface. However, pairing interfaces of different media type, speeds, and duplex settings may not be fully tested or supported.

–

The command and control interface cannot be a member of an inline interface pair.

–

You cannot pair a physical interface with itself in an inline interface pair.

–

A physical interface can be a member of only one inline interface pair.

–

You can only configure bypass mode and create inline interface pairs on sensor platforms that support inline mode.

–

A physical interface cannot be a member of an inline interface pair unless the subinterface mode of the physical interface is none.

–

You cannot pair a VLAN with itself.

–

You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.

–

For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.

–

The order in which you specify the VLANs in an inline VLAN pair is not significant.

–

A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.

• Alternate TCP Reset Interface

–

You can only assign the alternate TCP reset interface to a sensing interface. You cannot configure the command and control interface as an alternate TCP reset interface. The alternate TCP reset interface option is set to none as the default and is protected for all interfaces except the sensing interfaces.

–

You can assign the same physical interface as an alternate TCP reset interface for multiple sensing interfaces.

–

A physical interface can serve as both a sensing interface and an alternate TCP reset interface.

–

The command and control interface cannot serve as the alternate TCP reset interface for a sensing interface.

–

A sensing interface cannot serve as its own alternate TCP reset interface.

–

You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces.

Note The exception to this restriction is the IDSM2. The alternate TCP reset interface

assignments for both sensing interfaces is System0/1 (protected).

• VLAN Groups

–

You can configure any single interface for promiscuous, inline interface pair, or inline VLAN pair mode, but no combination of these modes is allowed.

–

You cannot add a VLAN to more than one group on each interface.

–

You cannot add a VLAN group to multiple virtual sensors.

OL-18504-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-11

How the Sensor Functions

Interface Modes

Chapter 1 Introducing the Sensor

–

An interface can have no more than 255 user-defined VLAN groups.

–

When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.

–

You can use a VLAN on multiple interfaces; however, you receive a warning for this configuration.

–

You can assign a virtual sensor to any combination of one or more physical interfaces and inline VLAN pairs, subdivided or not.

–

You can subdivide both physical and logical interfaces into VLAN groups.

–

CLI, IDM, and IME prompt you to remove any dangling references. You can leave the dangling references and continue editing the configuration.

–

CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict with the interface configuration.

–

CLI allows configuration changes in the interface configuration that cause conflicts in the Analysis Engine configuration. IDM and IME do not allow changes in the interface configuration that cause conflicts in the Analysis Engine configuration.

The following section describes the interface modes, and contains the following topics:

Promiscuous Mode

In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).

By default, all sensing interfaces are in promiscuous mode. To change an interface from inline interface mode to promiscuous mode, delete any inline interface that contains that interface and delete any inline VLAN pair subinterfaces of that interface from the interface configuration.

• Promiscuous Mode, page 1-12

• IPv6, Switches, and Lack of VACL Capture, page 1-13

• Inline Interface Pair Mode, page 1-14

• Inline VLAN Pair Mode, page 1-15

• VLAN Group Mode, page 1-15

• Deploying VLAN Groups, page 1-16

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

1-12

OL-18504-01

+ 382 hidden pages

Cisco IPS-4255-K9 - Intrusion Protection Sys 4255, IPS 4255, IPS 4260, IPS 4270-20, AIP SSM-10 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual